⚠ Actively exploited
Added to CISA KEV on 2025-03-04. Federal agencies required to patch by 2025-03-25. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-22224Time-of-check Time-of-use (TOCTOU) Race Condition in Vmware Esxi

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition10 documents7 sources
Severity
8.2HIGHNVD
CNA9.3VulnCheck9.3
EPSS
47.3%
top 2.30%
CISA KEV
KEV
Added 2025-03-04
Due 2025-03-25
Exploit
No known exploits
Affected products
5
Vmware EsxiVmware WorkstationVmware Telco Cloud Infrastructure+2 more
Timeline
PublishedMar 4
KEV addedMar 4
KEV dueMar 25
Latest updateFeb 4
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.5 | Impact: 6.0

Affected Packages9 packages

CVEListV5vmware/esxi8.0ESXi80U3d-24585383+2
CVEListV5vmware/workstation17.x17.6.3
NVDvmware/workstation17.017.6.3
NVDvmware/esxi7.0, 8.0+1
CVEListV5vmware/telco_cloud_platform5.x, 4.x, 3.x, 2.x

🔴Vulnerability Details

3
CVEList
CVE-2025-22224: VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write2025-03-04
GHSA
GHSA-j652-46fv-w96g: VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write2025-03-04
VulnCheck
VMware ESXi and Workstation TOCTOU Race Condition Vulnerability2025

📋Vendor Advisories

1
CISA
VMware ESXi and Workstation TOCTOU Race Condition Vulnerability2025-03-04

🕵️Threat Intelligence

3
Bleepingcomputer
CISA: VMware ESXi flaw now exploited in ransomware attacks2026-02-04
Bleepingcomputer
Over 37,000 VMware ESXi servers vulnerable to ongoing attacks2025-03-06
Bleepingcomputer
Broadcom fixes three VMware zero-days exploited in attacks2025-03-04