Introduction
A local attacker with high privileges can fully compromise Oracle VM VirtualBox on affected systems, potentially impacting not just the virtualization environment but other products as well. This vulnerability, tracked as CVE-2025-62589, was disclosed in Oracle's October 2025 Critical Patch Update and is rated high severity with a CVSS 3.1 base score of 8.2.
Oracle VM VirtualBox is a widely used open source virtualization platform maintained by Oracle, supporting Windows, macOS, Linux, and Solaris hosts. It is commonly used in enterprise, development, and educational environments worldwide.
Technical Information
CVE-2025-62589 affects the Core component of Oracle VM VirtualBox. According to Oracle's advisory, it is an easily exploitable vulnerability that allows a high privileged attacker with local logon to the infrastructure where VirtualBox executes to compromise the product. The vulnerability is not remotely exploitable and does not require user interaction. The CVSS vector is AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, which means:
- Local attack vector
- Low attack complexity
- High privileges required
- No user interaction
- Changed scope (impacting additional products)
- High impact on confidentiality, integrity, and availability
Oracle's advisory does not provide further technical details or code snippets. No public proof of concept or root cause analysis is available at this time.
Affected Systems and Versions
- Oracle VM VirtualBox versions 7.1.12 and 7.2.2 are affected.
- Only these specific versions are listed as vulnerable in Oracle's October 2025 CPU advisory.
- All supported platforms (Windows, macOS, Linux, Solaris) running these versions are at risk.
Vendor Security History
Oracle regularly addresses privilege escalation and VM escape vulnerabilities in VirtualBox through its quarterly Critical Patch Update program. Similar vulnerabilities in the Core component have appeared in previous CPUs, including CVE-2025-53024 through CVE-2025-53030 (July 2025 CPU) and CVE-2025-30725 (April 2025 CPU). Oracle typically provides high-level risk matrices and patch guidance but does not disclose detailed technical information in public advisories.