Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

TOCTOU out-of-bounds write in VMware ESXi and Workstation VMCI

IdentifiersCVE-2025-22224CWE-367· Time-of-check Time-of-use (TOCTOU)…

CVE-2025-22224 is a critical Time-of-Check Time-of-Use (TOCTOU) race condition in VMware ESXi and VMware Workstation, specifically in the Virtual Machine Communication Interface (VMCI). According to the provided content, the flaw leads to an out-of-bounds write. A malicious actor with local administrative privileges inside a guest virtual machine can exploit the issue to achieve code execution in the context of the virtual machine’s VMX process running on the host. The vulnerability is described by VMware/Broadcom as one of a set of flaws that can be chained to compromise the hypervisor from a guest VM, and the content indicates it was observed as exploited in the wild.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker who already has local administrative privileges within a guest VM to corrupt memory and execute code as the VMX process on the host. Because the VMX process is part of the virtualization boundary, this can enable guest-to-host escape and can serve as a stepping stone toward broader hypervisor compromise when chained with related vulnerabilities. The content also indicates in-the-wild exploitation and use in exploit chains associated with hypervisor compromise activity.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting attacker ability to obtain administrative privileges inside guest VMs, restricting untrusted workloads on shared ESXi infrastructure, segmenting and monitoring virtualization environments, and prioritizing detection of suspicious VMCI/VMX-related activity. Because the flaw is a guest-to-host boundary issue and the content indicates active exploitation, mitigation should be treated only as a temporary risk-reduction measure until patches are applied.

Remediation

Patch, then assume compromise.

Apply the VMware/Broadcom security updates that address CVE-2025-22224 in affected VMware ESXi and VMware Workstation versions. The content states Broadcom fixed this vulnerability on March 4, 2025 as part of VMSA-2025-0004. Organizations should upgrade to vendor-fixed builds for all affected ESXi and Workstation deployments and ensure related VMware products in the environment are also reviewed for the companion flaws CVE-2025-22225 and CVE-2025-22226 where applicable.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
BroadcomCloud Foundationapplication
BroadcomEsxioperating_system
BroadcomTelco Cloud Infrastructureapplication
BroadcomTelco Cloud Platformapplication
BroadcomWorkstationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

37 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

37 SOURCESView more in app
dark readingNews
Mar 4, 2026
VMware Aria Operations Bug Exploited, Cloud Resources at Risk

A critical vulnerability affecting VMware ESXi and VMware Workstation (mentioned as a prior VMware zero-day disclosure).

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

An actively exploited VMware vulnerability (TOCTOU leading to out-of-bounds write) affecting ESXi/Workstation/Fusion.

Read more
scworldNews
Feb 6, 2026
CISA: Ransomware intrusions exploiting VMware ESXi bug ongoing | SC Media

A VMware ESXi vulnerability reportedly chained with CVE-2025-22225 in observed attacks.

Read more
cyber security newsNews
Feb 5, 2026
CISA Warns of VMware ESXi 0-day Vulnerability Exploited in Ransomware Attacks

A heap overflow vulnerability in the VMware VMCI driver, described as part of a chained ESXi/VMware escape exploit set.

Read more
+14 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware6

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity17

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-22224
NVD
nvd.nist.gov/vuln/detail/CVE-2025-22224
MITRE CWE · CWE-367
Time-of-check Time-of-use (TOCTOU) Race…
Vendor Advisory
support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22224