Oracle has disclosed multiple critical vulnerabilities in its Oracle VM VirtualBox virtualization software, potentially allowing attackers to achieve complete control over the VirtualBox environment.
These flaws, detailed in the October 2025 Critical Patch Update (CPU), affect the Core component of VirtualBox versions 7.1.12 and 7.2.2, enabling high-privileged local attackers to compromise confidentiality, integrity, and availability with devastating consequences.
The disclosure highlights the ongoing risks in virtualization platforms, where even local access can lead to broader system impacts due to scope changes.
Experts warn that these vulnerabilities could facilitate full takeover scenarios, making immediate patching essential for users relying on VirtualBox for development, testing, and secure isolation.
No evidence of active exploitation has surfaced yet, but the high CVSS scores underscore the urgency.
Oracle’s advisory emphasizes that while exploitation requires high privileges and local access, the potential for unauthorized data access and denial-of-service attacks remains a severe threat.
Vulnerability Breakdown And Affected Versions
The October 2025 CPU addresses nine specific CVEs in VirtualBox’s Core, all classified as local exploits without remote authentication.
These issues stem from improper privilege handling and unsafe actions, allowing attackers with infrastructure logon to escalate control.
The most severe, including CVE-2025-62587 through CVE-2025-62590 and CVE-2025-62641, carry a CVSS 3.1 Base Score of 8.2, indicating high risk due to low attack complexity and changed scope.
For a comprehensive overview, the following table summarizes the CVEs, affected products, scores, and impacts based on Oracle’s risk matrix:
| CVE ID | Product | Component | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK | Supported Versions Affected | Notes | Base Score | Attack Vector | Attack Complex | User Interact |
|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-62587 | Oracle VM VirtualBox | Core | No | 8.2 Local | 7.1.12, 7.2.2 | 8.2 | Local | Low | None | |
| CVE-2025-62588 | Oracle VM VirtualBox | Core | No | 8.2 Local | 7.1.12, 7.2.2 | 8.2 | Local | Low | None | |
| CVE-2025-62589 | Oracle VM VirtualBox | Core | No | 8.2 Local | 7.1.12, 7.2.2 | 8.2 | Local | Low | None | |
| CVE-2025-62641 | Oracle VM VirtualBox | Core | No | 8.2 Local | 7.1.12, 7.2.2 | 8.2 | Local | Low | None | |
| CVE-2025-62590 | Oracle VM VirtualBox | Core | No | 8.2 Local | 7.1.12, 7.2.2 | 8.2 | Local | Low | None | |
| CVE-2025-61760 | Oracle VM VirtualBox | Core | No | 7.5 Local | 7.1.12, 7.2.2 | 7.5 | Local | High | Required | |
| CVE-2025-61759 | Oracle VM VirtualBox | Core | No | 6.5 Local | 7.1.12, 7.2.2 | 6.5 | Local | Low | None | |
| CVE-2025-62591 | Oracle VM VirtualBox | Core | No | 6.0 Local | 7.1.12, 7.2.2 | 6.0 | Local | Low | None | |
| CVE-2025-62592 | Oracle VM VirtualBox | Core | No | 6.0 Local | 7.1.12, 7.2.2 | 6.0 | Local | Low | None |
Lower-severity flaws like CVE-2025-61759 and CVE-2025-62591 to 62592 score 6.0 to 6.5, focusing on confidentiality breaches without integrity or availability disruption.
All vulnerabilities require local access but can propagate beyond VirtualBox due to scope changes. Successful exploitation could result in the complete takeover of the VirtualBox environment, exposing sensitive virtual machine data and enabling malware persistence across isolated systems.
For enterprises using VirtualBox in development pipelines or as a lightweight hypervisor, this poses risks of data leaks, ransomware deployment, or lateral movement in networks.
Individual developers might face personal data compromise if running untrusted guest OSes. The high integrity and availability impacts (scoring High) could cause crashes or unauthorized modifications, disrupting workflows.
While no public proofs-of-concept exist, the flaws’ similarity to past virtualization bugs raises concerns about targeted attacks.
Mitigations
Oracle urges users to apply the October 2025 CPU patches immediately, available via the official download portal.
Beyond patching, organizations should enforce least-privilege access, monitor high-privileged accounts, and audit VirtualBox configurations for unnecessary exposures.
Disabling unused features and isolating VirtualBox instances in segmented networks can mitigate risks. For those unable to patch promptly, temporary workarounds include restricting logon privileges and validating system integrity regularly.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
