1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. VMware ESXi and Workstation TOCTOU Race Condition Vulnerability

Known Exploited Vulnerabilities CVE-2025-22224

VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability exploitation_technique T1055 Process Injection
Comments
By exploiting the TOCTOU vulnerability in VMWare ESXi, Workstation, and Fusion, an attacker with local admin privileges can execute code in the VMX process on the host, in effect, functioning as an escape from the virtual machine to the host system.
References
  1. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
  2. https://westoahu.hawaii.edu/cyber/vulnerability-research/vulnerabilities-weekly-summaries/attacks-on-vmware-esxi/#:~:text=all%20impacted%20products.-
  3. Exploitation
  4. of%20VMs%20compromising%20the%20host.
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability primary_impact T1611 Escape to Host
Comments
By exploiting the TOCTOU vulnerability in VMWare ESXi, Workstation, and Fusion, an attacker with local admin privileges can execute code in the VMX process on the host, in effect, functioning as an escape from the virtual machine to the host system.
References
  1. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
  2. https://westoahu.hawaii.edu/cyber/vulnerability-research/vulnerabilities-weekly-summaries/attacks-on-vmware-esxi/#:~:text=all%20impacted%20products.-
  3. Exploitation
  4. of%20VMs%20compromising%20the%20host.