CVE-2025-62590: 
VirtualBox vulnerability analysis and mitigation

Vulnerability in Oracle VM VirtualBox (component: Core) affects versions 7.1.12 and 7.2.2. This vulnerability was disclosed in October 2025 as part of Oracle's Critical Patch Update. The vulnerability allows high-privileged attackers with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise the system (Oracle CPU).

The vulnerability has been assigned a CVSS 3.1 Base Score of 8.2 (High severity) with the following vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. This indicates local access is required (AV:L), low attack complexity (AC:L), high privileges required (PR:H), no user interaction needed (UI:N), with changed scope (S:C), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (Oracle CPU).

Successful exploitation of this vulnerability can result in complete takeover of Oracle VM VirtualBox. While the vulnerability is in VirtualBox, attacks may significantly impact additional products due to the scope change characteristic of the vulnerability (Oracle CPU).

Oracle strongly recommends that customers apply the Critical Patch Update security patches as soon as possible. The vulnerability is fixed in the October 2025 Critical Patch Update (Oracle CPU).

The vulnerability was discovered and reported by VMBreakers (GANGMIN KIM, SANGBIN KIM, Un3xploitable) working with Trend Micro Zero Day Initiative (Oracle CPU).