CVE-2025-22224

CRITICAL KEV RANSOMWARE

VMware ESXi, Workstation - Code Injection

Title source: llm

Exploitation Summary

CVE-2025-22224 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 4, 2025, with confirmed use in ransomware campaigns.

Description

VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

References (2)

Core 2

Core References

Vendor Advisory

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22224

Scores

CVSS v3 9.3

EPSS 0.4680

EPSS Percentile 97.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-03-04

VulnCheck KEV 2025-03-04

ENISA EUVD EUVD-2025-7603

Ransomware Use Confirmed

CWE

CWE-367

Status published

Products (9)

vmware/cloud_foundation

vmware/esxi 7.0 (29 CPE variants)

vmware/esxi 8.0 (14 CPE variants)

vmware/telco_cloud_infrastructure 2.2

vmware/telco_cloud_infrastructure 2.5

vmware/telco_cloud_infrastructure 2.7

vmware/telco_cloud_infrastructure 3.0

vmware/telco_cloud_platform 2.0

vmware/telco_cloud_platform 2.5

Published Mar 04, 2025

KEV Added Mar 04, 2025

Tracked Since Feb 18, 2026