CVE-2025-21571

CVE-2025-21571 is a vulnerability in the Core component of Oracle VM VirtualBox, part of Oracle Virtualization. Supported versions affected by this issue are those prior to 7.0.24 and prior to 7.1.6. The vulnerability is associated with CWE-732 (Incorrect Permission Assignment for Critical Resource) and carries a CVSS 3.1 base score of 7.3, with impacts to confidentiality, integrity, and availability.

The vulnerability is easily exploitable by a high privileged attacker who has logon access to the infrastructure where Oracle VM VirtualBox executes. Such an attacker can compromise Oracle VM VirtualBox, and while the flaw resides in VirtualBox, exploitation may significantly impact additional products due to a change in scope. Successful attacks can result in unauthorized creation, deletion, or modification of critical data or all Oracle VM VirtualBox accessible data, unauthorized read access to a subset of Oracle VM VirtualBox accessible data, and unauthorized ability to cause a partial denial of service of Oracle VM VirtualBox. The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L.

The Oracle security advisory provides details on mitigation, available at https://www.oracle.com/security-alerts/cpujan2025.html.