9.3

CVE-2025-22224

Warnung
Medienbericht

VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMwareESXi Version7.0 Update-
VMwareESXi Version7.0 Updatebeta
VMwareESXi Version7.0 Updateupdate_1
VMwareESXi Version7.0 Updateupdate_1a
VMwareESXi Version7.0 Updateupdate_1b
VMwareESXi Version7.0 Updateupdate_1c
VMwareESXi Version7.0 Updateupdate_1d
VMwareESXi Version7.0 Updateupdate_1e
VMwareESXi Version7.0 Updateupdate_2
VMwareESXi Version7.0 Updateupdate_2a
VMwareESXi Version7.0 Updateupdate_2c
VMwareESXi Version7.0 Updateupdate_2d
VMwareESXi Version7.0 Updateupdate_2e
VMwareESXi Version7.0 Updateupdate_3
VMwareESXi Version7.0 Updateupdate_3c
VMwareESXi Version7.0 Updateupdate_3d
VMwareESXi Version7.0 Updateupdate_3e
VMwareESXi Version7.0 Updateupdate_3f
VMwareESXi Version7.0 Updateupdate_3g
VMwareESXi Version7.0 Updateupdate_3i
VMwareESXi Version7.0 Updateupdate_3j
VMwareESXi Version7.0 Updateupdate_3k
VMwareESXi Version7.0 Updateupdate_3l
VMwareESXi Version7.0 Updateupdate_3m
VMwareESXi Version7.0 Updateupdate_3n
VMwareESXi Version7.0 Updateupdate_3o
VMwareESXi Version7.0 Updateupdate_3p
VMwareESXi Version7.0 Updateupdate_3q
VMwareESXi Version7.0 Updateupdate_3r
VMwareESXi Version8.0 Update-
VMwareESXi Version8.0 Updatea
VMwareESXi Version8.0 Updateb
VMwareESXi Version8.0 Updatec
VMwareESXi Version8.0 Updateupdate_1
VMwareESXi Version8.0 Updateupdate_1a
VMwareESXi Version8.0 Updateupdate_1c
VMwareESXi Version8.0 Updateupdate_1d
VMwareESXi Version8.0 Updateupdate_2
VMwareESXi Version8.0 Updateupdate_2b
VMwareESXi Version8.0 Updateupdate_2c
VMwareESXi Version8.0 Updateupdate_3
VMwareESXi Version8.0 Updateupdate_3b
VMwareESXi Version8.0 Updateupdate_3c
VMwareCloud Foundation Version-
VMwareTelco Cloud Platform Version2.0
VMwareTelco Cloud Platform Version2.5
VMwareTelco Cloud Platform Version2.7
VMwareTelco Cloud Platform Version3.0
VMwareTelco Cloud Platform Version4.0
VMwareTelco Cloud Platform Version4.0.1
VMwareTelco Cloud Platform Version5.0
VMwareWorkstation Version >= 17.0 < 17.6.3

04.03.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

VMware ESXi and Workstation TOCTOU Race Condition Vulnerability

Schwachstelle

VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 52.41% 0.978
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.2 1.5 6
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
security@vmware.com 9.3 2.5 6
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.