CVE-2025-62591: 
VirtualBox vulnerability analysis and mitigation

A vulnerability has been identified in Oracle VM VirtualBox (component: Core), tracked as CVE-2025-62591. The affected versions are 7.1.12 and 7.2.2. This vulnerability was disclosed on October 21, 2025, as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability is characterized as easily exploitable, allowing high privileged attackers with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise the system. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.0, primarily impacting confidentiality. The CVSS Vector is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N), indicating Local access vector, Low attack complexity, High privileges required, No user interaction needed, and Changed scope (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products due to scope change (Oracle CPU).

Oracle has released patches for the affected versions (7.1.12 and 7.2.2) as part of the October 2025 Critical Patch Update. It is strongly recommended that customers apply these security patches as soon as possible (Oracle CPU).

The vulnerability was discovered and reported by VMBreakers (GANGMIN KIM, SANGBIN KIM, Un3xploitable) working with Trend Micro Zero Day Initiative (Oracle CPU).