Ddos 
Security researchers at ETH Zurich have published a study revealing how attackers can break through virtualization boundaries with a technique they call VMScope (CVE-2025-40300). By exploiting microarchitectural flaws in Intel CPUs, the attacks allow VM escapes, enabling a malicious virtual machine to peer into or interfere with neighboring VMs — undermining one of the foundational security promises of cloud computing.
As the authors explain, “Our systematic analysis shows that this extension [of isolation to the branch predictor state] unfortunately is incomplete… we discover a number of new Spectre Branch Target Injection (Spectre-BTI) attack primitives on AMD Zen 1–5 and Intel Coffee Lake CPUs.”
At the heart of the discovery is VMSCAPE, the first end-to-end Spectre-BTI exploit capable of leaking sensitive host data directly from unmodified hypervisor software. The researchers demonstrated the attack on AMD Zen 4 CPUs, showing that a malicious guest can extract arbitrary QEMU memory at a rate of 32 bytes per second.
“We craft VMSCAPE, the first Spectre-BTI attack that enables a malicious KVM guest to leak arbitrary memory from an unmodified QEMU process running on an AMD Zen 4 host at the speed of 32 B/s, exposing cryptographic keys for disk encryption and decryption,” the team writes.
This marks a significant escalation compared to prior Spectre-class attacks, which often relied on unrealistic assumptions such as host code modifications.
The implications are stark for cloud providers. VMSCAPE enables guest VMs to compromise the hypervisor’s user-space processes, undermining the foundational trust model of cloud isolation.
The researchers warn: “VMSCAPE can leak the memory of the QEMU process… extracting the cryptographic key used for disk encryption/decryption as an example.”
Such attacks could allow threat actors to steal customer data, encryption keys, or infrastructure secrets—all without exploiting software vulnerabilities or requiring elevated privileges.
ETH Zurich disclosed their findings to AMD and Intel in June 2025. The Linux kernel community has since developed mitigations, notably Indirect Branch Prediction Barrier (IBPB)-on-VMEXIT, which flushes the branch predictor state when switching from guest to host.
According to the study, “Our evaluation shows that such a mitigation… introduces a marginal performance overhead in common scenarios.”
VMSCAPE is tracked under CVE-2025-40300. The researchers also released source code and documentation here.
Key Takeaways
- VMSCAPE is the first practical guest-to-host Spectre-BTI exploit against unmodified software in default configurations.
- It affects all AMD Zen generations (1–5) and Intel Coffee Lake CPUs.
- Attackers can exfiltrate sensitive data, such as encryption keys, directly from the hypervisor.
- Mitigation requires IBPB-on-VMEXIT, which has already been adopted in Linux patches.
The ETH Zurich team concludes with a sobering reminder: “Despite existing hardware mitigations, all AMD Zen processors and Intel Coffee Lake are vulnerable to new Virtualization-based Spectre-BTI attack primitives.”
Related Posts:
- CVE-2023-0045 flaw allows hackers bypass Spectre-BTI user space mitigations on Linux
- CVE-2024-37085: VMware ESXi Vulnerability Exploited by Ransomware Gangs
- Data Centers Alert: AMD Addresses SEV-SNP Vulnerabilities in EPYC Processors
- FreeBSD Issues Critical Security Advisory for CVE-2024-41721 (CVSS 9.8)
- CTS-Labs found 13 high-security vulnerabilities in the AMD Zen CPU architecture
Donate