CVE-2025-62627: Memory Leak in VMware ESXi
Platform
linux
Component
vmware-esxi
CVE-2025-62627 is a critical vulnerability affecting VMware ESXi, specifically versions 8.0 up to 8.0U3i and VCF 5.2.3.0. This flaw stems from an untrusted pointer dereference within the ionic cloud driver, allowing a malicious, unprivileged virtual machine to potentially access sensitive kernel or co-located guest VM memory. Successful exploitation could lead to a loss of confidentiality or availability of the affected systems. VMware has released Security Advisory VMSA-2026-0009 to address this issue.
Impact and Attack Scenarios
The core impact of CVE-2025-62627 lies in the potential for unauthorized access to kernel and guest VM memory. An attacker, already possessing a foothold within a virtual machine, can exploit this vulnerability to read sensitive data stored in kernel memory or even within the memory space of other virtual machines sharing the same host. This could expose credentials, encryption keys, or other confidential information. Furthermore, the memory corruption caused by the untrusted pointer dereference could lead to a denial-of-service condition, rendering the ESXi host and its virtual machines unavailable. The potential for lateral movement within the virtualized environment is significant, as an attacker could leverage compromised guest VMs to target other VMs on the same host.
Exploitation Context
CVE-2025-62627 is currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating a potential for active exploitation. The EPSS score is pending evaluation, but the severity of the vulnerability suggests a medium to high probability of exploitation. Public proof-of-concept (POC) code has not been publicly released as of the publication date, but the potential for memory corruption and information disclosure makes it a high-priority target for attackers. Refer to VMware Security Advisory VMSA-2026-0009 for further details and updates.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2025-62627 is to apply the security update released by VMware in Security Advisory VMSA-2026-0009. This advisory details the patched versions for ESXi 8.0 and 9.0. If immediate patching is not feasible, consider implementing network segmentation to limit the potential blast radius of a successful attack. While not a direct fix, restricting network access to the ESXi host and its management interfaces can reduce the attack surface. Monitor ESXi host logs for any unusual activity or memory-related errors that might indicate exploitation attempts. After applying the update, verify the fix by attempting to reproduce the vulnerability in a test environment (if possible) or by reviewing VMware's verification steps outlined in VMSA-2026-0009.
How to fix
Aplique las actualizaciones de seguridad proporcionadas por VMware para ESXi 8.x y 9.x que abordan esta vulnerabilidad. Consulte el boletín de seguridad de AMD (https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-2001.html) para obtener más detalles y las versiones específicas corregidas.
Frequently asked questions
What is CVE-2025-62627 — Memory Leak in VMware ESXi?
CVE-2025-62627 is a critical vulnerability in VMware ESXi versions 8.0 (up to 8.0U3i) and 9.0, allowing an unprivileged VM to potentially read kernel or guest VM memory, leading to data exposure or denial of service.
Am I affected by CVE-2025-62627 in VMware ESXi?
If you are running VMware ESXi 8.0 (up to 8.0U3i) or 9.0, and VCF 5.2.3.0, you are potentially affected. Check your version against the advisory to confirm.
How do I fix CVE-2025-62627 in VMware ESXi?
Apply the security update released by VMware in Security Advisory VMSA-2026-0009. This advisory details the patched versions for ESXi 8.0 and 9.0.
Is CVE-2025-62627 being actively exploited?
CVE-2025-62627 is listed on the CISA KEV catalog, suggesting a potential for active exploitation. Monitor your systems and apply the patch promptly.
Where can I find the official VMware advisory for CVE-2025-62627?
You can find the official VMware Security Advisory (VMSA-2026-0009) on the VMware Security Advisories website: https://www.vmware.com/security/advisories/VMSA-2026-0009.html
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...