The reported vulnerability exists in the core component of Oracle® VM VirtualBox. It allows an attacker who already has logon access to the host system and holds high privileges to take control of the virtualization software. Successful exploitation results in full compromise of Confidentiality, Integrity, and Availability for the VirtualBox instance and may lead to a scope change that also affects other components on the host. The weakness corresponds to improper authorization or privilege escalation, providing the attacker with equivalent or greater authority than the original user.

This issue affects Oracle Corporation’s Oracle® VM VirtualBox versions 7.1.14 and 7.2.4. These releases are part of the Oracle Virtualization product line used to run virtual machines on physical hardware.

The severity as expressed by the CVSS base score of 8.2 indicates a high-impact vulnerability. However, the EPSS score is reported as less than 1%, implying a very low likelihood that the vulnerability is actively exploited in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, which further reduces the immediate threat level. Because the attack vector is local and requires high privileged access to the host system, the likelihood of exploitation is limited to environments with weak local access controls. The risk to affected systems therefore remains moderate, driven mainly by the high potential impact rather than prevalent exploitation.