CVE-2025-62641: 
VirtualBox vulnerability analysis and mitigation

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.12 and 7.2.2. The vulnerability was discovered and disclosed on October 21, 2025 (Oracle CPU).

The vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. The vulnerability has been assigned a CVSS 3.1 Base Score of 8.2 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-267 (Privilege Defined With Unsafe Actions) (NVD).

While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox, affecting all three security properties: Confidentiality, Integrity, and Availability (Oracle CPU).

Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. The vulnerability is addressed in Oracle's October 2025 Critical Patch Update (Oracle CPU).

The vulnerability was discovered by VMBreakers (GANGMIN KIM, SANGBIN KIM, Un3xploitable) working with Trend Micro Zero Day Initiative (Oracle CPU).