CVE-2025-22225
Published: 04 March 2025
Description
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Security Summary
CVE-2025-22225 is an arbitrary write vulnerability in VMware ESXi, specifically affecting the VMX process. A malicious actor with privileges within the VMX process can trigger an arbitrary kernel write, enabling escape from the sandbox. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-787 (Out-of-bounds Write) and CWE-123 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')).
Exploitation requires local access to the ESXi host with high privileges within the VMX process, low attack complexity, and no user interaction. Successful exploitation results in a scope change from the VMX sandbox to the host kernel, granting high-impact confidentiality, integrity, and availability compromises, such as full host takeover.
The Broadcom security advisory provides details on affected versions and patches at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390. CISA has listed CVE-2025-22225 in its Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22225, indicating real-world exploitation by malicious actors.
This vulnerability, published on 2025-03-04, underscores the risks of VMX process privileges in virtualized environments and the urgency of applying vendor patches.
Details
- CWE(s)
- KEV Date Added
- 04 March 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Arbitrary kernel write from VMX sandbox directly enables sandbox escape to host (T1611) and exploitation for privilege escalation to full host control (T1068).