CVE-2025-22225

ENISA EUVD: EUVD-2025-7604 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 7 articles

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

9.78%

probability

This CVE has a 9.78% probability of being exploited in the next 30 days.

0% Top 93.1th percentile of all CVEs 100%

CVSS v3.1

Source: NVD

8.2

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

NVD

VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

Affected Products

vmware

esxi

vmware

cloud foundation

vmware

telco cloud infrastructure

vmware

telco cloud platform

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-123 · Write-what-where Condition CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write

Google Project Zero

Patched

March 4, 2025

Reported by

Microsoft Threat Intelligence Center

Root Cause Analysis

???

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22225

US Government Resource

Signal Intelligence

Confidenceⓘ

92%

EPSS 9.78%

CVSS v3.1 8.2

Mentions 7

Last Seen Jan 09, 2026

CNA Information

Analyst Note

This CVE merits confirmation with high confidence due to active in-the-wild exploitation by Chinese-linked threat actors since October 2024, inclusion in Google Project Zero research, and multiple credible security vendor reports documenting real-world attacks. The vulnerability's high CVSS score (8.2), arbitrary kernel write capability enabling sandbox escape, and evidence of exploitation predating official disclosure substantiate the confirmed status.