CVE-2025-22224

Name of the Vulnerable Software and Affected Versions VMware ESXi and Workstation versions prior to patch availability VMware Fusion versions prior to patch availability

Description VMware ESXi, Workstation, and Fusion contain a Time-of-Check Time-of-Use (TOCTOU) vulnerability that results in an out-of-bounds write condition. An attacker with local administrative privileges on a virtual machine can exploit this issue to execute code as the virtual machine's VMX process running on the host. This vulnerability is actively exploited in the wild by multiple threat actors, including APT29, APT41, and APT28. Reports indicate that the exploit toolkit used in these attacks may have been developed as early as February 2024. The vulnerability allows attackers to escape the virtual machine and potentially compromise the hypervisor. Over 41,500 internet-exposed VMware ESXi instances are currently vulnerable. The exploitation of this vulnerability has been linked to initial access through compromised SonicWall VPNs and subsequent deployment of malicious toolkits like MAESTRO and VSOCKpuppet. These toolkits enable stealthy communication and evasion of network monitoring.

The vulnerability is related to the VMCI (Virtual Machine Communications Interface) and can lead to a VM escape, granting attackers control over the ESXi host. The VMX process is specifically targeted during exploitation.

Recommendations Apply the latest security patches released by VMware for ESXi, Workstation, and Fusion as soon as possible. Restrict access to the vulnerable module VMX to minimize the risk of exploitation. Consider temporarily disabling the VMCI if it is not essential for your environment. If possible, restrict local administrative privileges on virtual machines.