CVE-2025-30712: 
VirtualBox vulnerability analysis and mitigation

A vulnerability has been identified in Oracle VM VirtualBox version 7.1.6 (component: Core). This vulnerability (CVE-2025-30712) was discovered by CVR of Google and Juan José López Jaimez of Google, and was publicly disclosed on April 15, 2025 (Oracle CPU, NVD).

The vulnerability is classified as easily exploitable and requires a high-privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox executes. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.1 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L. The weakness has been categorized as CWE-284 (Improper Access Control) (NVD).

Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data, as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. Additionally, attackers can gain unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. The vulnerability's scope is changed, meaning attacks may significantly impact additional products beyond VirtualBox (NVD).

Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until patches can be applied, it may be possible to reduce the risk by restricting access to the infrastructure where Oracle VM VirtualBox executes to only trusted users with legitimate business need (Oracle CPU, FortiGuard).