Karl.Fail

CVE-2025-22224: Critical TOCTOU Vulnerability in VMware ESXi and Workstation

Written by

Karl

in

on

(Last update:

)

Critical TOCTOU Vulnerability Discovered in VMware ESXi and Workstation

On March 4, 2025, VMware disclosed a high-impact vulnerability tracked as CVE-2025-22224, affecting multiple versions of VMware ESXi, Workstation, VMware Cloud Foundation, and Telco Cloud Platform. The vulnerability arises from a Time-of-Check Time-of-Use (TOCTOU) race condition that results in an out-of-bounds write vulnerability. This allows local attackers with administrative privileges within a virtual machine to execute code on the host system.

Understanding TOCTOU and the Vulnerability

TOCTOU (Time-of-Check Time-of-Use) is a type of race condition where a system checks a resource for safety, but conditions change before the resource is used. This can be exploited to gain unauthorized access or modify memory in unsafe ways.

In this case, the TOCTOU flaw leads to a heap overflow, allowing an attacker with local administrative privileges inside a virtual machine to cause an out-of-bounds write. The payload executes as the virtual machine’s VMX process—potentially compromising the host itself.

CVSS Details

The vulnerability has a CVSS v3.1 base score of 9.3 (CRITICAL), with the following vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

This breakdown highlights the seriousness of the issue:

  • Attack Vector: Local – requires access to the VM
  • Attack Complexity: Low
  • Privileges Required: None (within guest VM)
  • User Interaction: None
  • Scope: Changed – host compromise from guest
  • Impact on Confidentiality, Integrity, and Availability: High

Affected Products and Versions

The following VMware products are affected:

  • ESXi 7.0 versions before 7.0U3s-24585291
  • ESXi 8.0 versions before 8.0U2d-24585300 and 8.0U3d-24585383
  • Workstation 17.x versions before 17.6.3
  • VMware Cloud Foundation 5.x and 4.5.x
  • Telco Cloud Platform 5.x, 4.x, 3.x, 2.x
  • Telco Cloud Infrastructure 3.x, 2.x

Exploitation and Mitigation

According to CISA’s Known Exploited Vulnerabilities (KEV) catalog, active exploitation is ongoing. Organizations must act urgently to:

  • Apply the latest VMware patches
  • Limit administrative access on guest VMs
  • Isolate high-risk workloads

No user interaction is needed for exploitation, and the attack does not require elevated guest privileges, increasing its risk in shared environments.

Conclusion

CVE-2025-22224 is a severe vulnerability with real-world exploitation, underlining the importance of securing hypervisor environments. VMware users should immediately verify their systems and apply vendor-recommended updates.

References

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


More posts