CVE-2025-22224

Warnung

Medienbericht

EPSS 48.22%
Veröffentlicht 04.03.2025 12:15:33
Zuletzt bearbeitet 30.10.2025 19:52:49
Quelle security@vmware.com
CVE-Watchlists
Login
Unerledigt
Login

VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Betroffene Produkte Warnungen 2 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

VMware ≫ ESXi Version7.0 Update-

VMware ≫ ESXi Version7.0 Updatebeta

VMware ≫ ESXi Version7.0 Updateupdate_1

VMware ≫ ESXi Version7.0 Updateupdate_1a

VMware ≫ ESXi Version7.0 Updateupdate_1b

VMware ≫ ESXi Version7.0 Updateupdate_1c

VMware ≫ ESXi Version7.0 Updateupdate_1d

VMware ≫ ESXi Version7.0 Updateupdate_1e

VMware ≫ ESXi Version7.0 Updateupdate_2

VMware ≫ ESXi Version7.0 Updateupdate_2a

VMware ≫ ESXi Version7.0 Updateupdate_2c

VMware ≫ ESXi Version7.0 Updateupdate_2d

VMware ≫ ESXi Version7.0 Updateupdate_2e

VMware ≫ ESXi Version7.0 Updateupdate_3

VMware ≫ ESXi Version7.0 Updateupdate_3c

VMware ≫ ESXi Version7.0 Updateupdate_3d

VMware ≫ ESXi Version7.0 Updateupdate_3e

VMware ≫ ESXi Version7.0 Updateupdate_3f

VMware ≫ ESXi Version7.0 Updateupdate_3g

VMware ≫ ESXi Version7.0 Updateupdate_3i

VMware ≫ ESXi Version7.0 Updateupdate_3j

VMware ≫ ESXi Version7.0 Updateupdate_3k

VMware ≫ ESXi Version7.0 Updateupdate_3l

VMware ≫ ESXi Version7.0 Updateupdate_3m

VMware ≫ ESXi Version7.0 Updateupdate_3n

VMware ≫ ESXi Version7.0 Updateupdate_3o

VMware ≫ ESXi Version7.0 Updateupdate_3p

VMware ≫ ESXi Version7.0 Updateupdate_3q

VMware ≫ ESXi Version7.0 Updateupdate_3r

VMware ≫ ESXi Version8.0 Update-

VMware ≫ ESXi Version8.0 Updatea

VMware ≫ ESXi Version8.0 Updateb

VMware ≫ ESXi Version8.0 Updatec

VMware ≫ ESXi Version8.0 Updateupdate_1

VMware ≫ ESXi Version8.0 Updateupdate_1a

VMware ≫ ESXi Version8.0 Updateupdate_1c

VMware ≫ ESXi Version8.0 Updateupdate_1d

VMware ≫ ESXi Version8.0 Updateupdate_2

VMware ≫ ESXi Version8.0 Updateupdate_2b

VMware ≫ ESXi Version8.0 Updateupdate_2c

VMware ≫ ESXi Version8.0 Updateupdate_3

VMware ≫ ESXi Version8.0 Updateupdate_3b

VMware ≫ ESXi Version8.0 Updateupdate_3c

VMware ≫ Cloud Foundation Version-

VMware ≫ Telco Cloud Infrastructure Version2.2

VMware ≫ Telco Cloud Infrastructure Version2.5

VMware ≫ Telco Cloud Infrastructure Version2.7

VMware ≫ Telco Cloud Infrastructure Version3.0

VMware ≫ Telco Cloud Platform Version2.0

VMware ≫ Telco Cloud Platform Version2.5

VMware ≫ Telco Cloud Platform Version2.7

VMware ≫ Telco Cloud Platform Version3.0

VMware ≫ Telco Cloud Platform Version4.0

VMware ≫ Telco Cloud Platform Version4.0.1

VMware ≫ Telco Cloud Platform Version5.0

VMware ≫ Workstation Version >= 17.0 < 17.6.3

04.03.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

VMware ESXi and Workstation TOCTOU Race Condition Vulnerability

Schwachstelle

VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

04.03.2025: CERT.at Warnung

https://www.cert.at/de/warnungen/2025/3/kritische-sicherheitslucken-in-vmware-esxi-workstation-und-fusion-aktiv-ausgenutzt-updates-verfugbar

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	48.22%	0.976

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	1.5	6	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
security@vmware.com	9.3	2.5	6	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

https://www.heise.de/news/VMware-ESXi-Fusion-Workstation-Admins-patchen-kritische-Luecke-nicht-10518097.html

Medienbericht

heise Security

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22224

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2025-22224

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-22224

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-22224

EUVD