VMware ESXi TOCTOU OOB Write Allows VM Admin Code Exec as VMX
CVE-2025-22224 Published on March 4, 2025
VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
Known Exploited Vulnerability
This VMware ESXi and Workstation TOCTOU Race Condition Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.
The following remediation steps are recommended / required by March 25, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2025-22224 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a TOCTTOU Vulnerability?
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.
CVE-2025-22224 has been classified to as a TOCTTOU vulnerability or weakness.
Products Associated with CVE-2025-22224
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-22224 are published in these products:
Affected Versions
VMware ESXi:- Version 8.0 and below ESXi80U3d-24585383 is affected.
- Version 8.0 and below ESXi80U2d-24585300 is affected.
- Version 7.0 and below ESXi70U3s-24585291 is affected.
- Version 17.x and below 17.6.3 is affected.
- Version 5.x, 4.5.x is affected.
- Version 5.x, 4.x, 3.x, 2.x is affected.
- Version 3.x, 2.x is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.