CVE-2025-22224: Critical VMware TOCTOU Vulnerability

When used together, these vulnerabilities allow an attacker with local admin permissions in a guest Virtual Machine to obtain access to the underlying hypervisor (resulting in a VM escape) and subsequently access the hypervisor host and/or other virtual machines.

These issues would qualify under ITIL methodologies as an emergency change, requiring prompt action from your organization. However, the specific response timing depends on your unique circumstances.

Technical details about the vulnerabilities:

CVE-2025-22224 is a critically rated Time-of-Check Time-of-Use (TOCTOU) vulnerability impacting VMware ESXi and Workstation. This vulnerability can lead to an out-of-bounds write, enabling a malicious actor with local administrative privileges on a virtual machine to execute code as the VM’s VMX process on the host.

TOCTOU, is a type of race condition vulnerability where a system’s condition can change between the time it is checked and the time it is used, potentially allowing an attacker to exploit this gap. This can lead to unauthorized actions, such as accessing or modifying resources that should be protected.

CVE-2025-22225 is an arbitrary write vulnerability in VMware ESXi. A threat actor with sufficient privileges within the VMX process can exploit this vulnerability to achieve arbitrary kernel writes, potentially leading to a sandbox escape.

“Write-what-where Condition,” is a vulnerability where an attacker can write an arbitrary value to an arbitrary memory location, often due to a buffer overflow. This can lead to severe issues such as arbitrary code execution, privilege escalation, or system instability.

CVE-2025-22226 is an information disclosure vulnerability affecting VMware ESXi, Workstation, and Fusion. This flaw originates from an out-of-bounds read in the Host Guest File System (HGFS) component. An attacker with administrative privileges on a virtual machine could exploit this vulnerability to potentially leak memory from the VMX process, which is the main process for running a VM.

Out-of-bounds Read, is a vulnerability that occurs when a program reads data past the end or before the beginning of the intended buffer. This can lead to unintended information disclosure, program crashes, or other unpredictable behavior.

CVE

CVE-2025-22224
CVE-2025-22225
CVE-2025-22226

Affected Products

VMware ESXi Version 8.0, 7.0 VMware Workstation Version 17.x VMware Fusion Version 13.x VMware Cloud Foundation Version 5.x, 4.5.x VMware Telco Cloud Platform Version 5.x, 4.x, 3.x, 2.x VMware Telco Cloud Infrastructure Version 3.x, 2.x [2]

Exploitation

Broadcom reported that they have information that suggests that exploitation of these vulnerabilities have occurred “in the wild”[2] but doesn’t elaborate on the identity of the threat actors. All three vulnerabilities have been added to the CISA database of known exploited vulnerabilities[3].

Recommended Actions

To remediate these three vulnerabilities, apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ in broadcom’s advisory[1]. These issues would qualify under ITIL methodologies as an emergency change, requiring prompt action from your organization. However, the specific response timing depends on your unique circumstances.

References

[1] https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
[2] https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004
[3] https://www.cisa.gov/news-events/alerts/2025/03/04/cisa-adds-four-known-exploited-vulnerabilities-catalog