Threats / VMware / CVE-2025-22224
CVE-2025-22224
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
VMware ESXi and Workstation vulnerability
VMware ESXi and Workstation contain a TOCTOU race condition in memory handling that allows local VM administrators to write out-of-bounds and execute arbitrary code in the host VMX process.
Verdict
Today item — known-exploited.
A local attacker with administrative privileges inside a virtual machine can exploit a race condition to achieve code execution on the host hypervisor, potentially compromising the entire virtualization infrastructure and other hosted systems.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
11 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2025-03-04).
Probability (EPSS)
EPSS 0.01524 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: VMware, ESXi and Workstation. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-367 TOCTOU Race Condition.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
WeaknessCWE-367 · TOCTOU Race Condition
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I gain administrative access to a guest virtual machine through credential compromise or insider access.
Business
Attacker establishes foothold within customer workload with elevated privileges.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I identify and trigger the TOCTOU race condition in ESXi or Workstation memory management during a specific window between validation and use.
Business
Vulnerability window exposes hypervisor kernel to exploitation despite access controls.
3
Lateral reach — past segmentation narrative 3
Attacker
I craft malicious input that causes an out-of-bounds write, corrupting memory in the VMX process running on the host.
Business
Host process integrity is compromised, enabling arbitrary code execution at hypervisor privilege level.
4
Data at risk — exfiltration narrative 4
Attacker
I execute arbitrary code within the VMX process context on the physical host.
Business
Attacker gains control of hypervisor, enabling lateral movement to other VMs, data exfiltration, and infrastructure compromise.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05