VMware Security Patches Delayed for Perpetual License Holders

Background: VMware Licensing Shift under Broadcom

In November 2024, Broadcom completed its $61 billion acquisition of VMware, one of the flagship players in virtualization and cloud infrastructure. Almost immediately, Broadcom announced the end of new perpetual license sales in favor of bundled subscription SKUs such as vSphere+, VMware Cloud Foundation subscription tiers, and cloud-based VMware Cloud offerings. While Broadcom committed to supporting existing perpetual licenses through their end-of-support dates, many organizations chose to continue operating legacy environments without renewing maintenance contracts, relying on the promised “free access” to zero-day security updates.

Security Patch Access Issues

On July 15, 2025, VMware disclosed three critical vulnerabilities (CVE-2025-22555, CVE-2025-22556 and CVE-2025-22557) affecting ESXi hosts, vCenter Server, and VMware Tools. Despite Broadcom’s public commitment, numerous perpetual license holders reported they were unable to download the official patch bundles—ISO images of ~1.2 GB containing offline hotfixes, VIB profiles for ESXi, and RPM updates for vCenter—from the Broadcom Support Portal.

• Some customers saw “Access Denied” errors when fetching VMwarePatchBundle-2025-0013.iso.
• Others were told by support engineers that entitlement validation blocked downloads until maintenance was renewed.
• VMware’s internal ticketing system flagged these requests under a new “patch delivery cycle” with an estimated 90-day wait.

This delay leaves hypervisor fleets vulnerable to exploitation techniques such as hyperjacking, remote code execution via the SCSI controller interface, and privilege escalation through compromised guest-host shared memory channels.

Technical Deep Dive: Patch Management and Delivery Pipeline

Broadcom’s portal relies on an entitlement validation engine which cross-references customer maintenance IDs against the internal license database. When a perpetual license lapses, the engine currently flags any zero-day patch request as non-entitled—even though Broadcom policy allows free critical updates for products still under Broadcom’s support matrix.

1. Entitlement Token Verification: Upon login, the portal issues a JSON Web Token (JWT) that encapsulates license type, support tier, and expiration. Non-renewed perpetual licenses show “support_expired”: true.
2. Package Repository Access: The vSphere Update Manager (VUM) repository, backed by an internal Artifactory cluster, serves both subscription and perpetual channels. Access controls are enforced at the repository URL level.
3. Bundle Delivery: Critical security advisories like VMSA-2025-0013 generate delta VIBs (ESXi patches) and OVF updates. Without proper entitlement flags, the portal returns HTTP 403.

Organizations can circumvent these issues using the govc CLI to query patch metadata or by pulling patches from partner-only mirrors if they hold a valid partner certificate. However, those without a support contract have no alternative official channel.

Impact on Enterprise Security Posture

Enterprises running unpatched ESXi clusters risk lateral movement attacks, data exfiltration, and persistent backdoors within their virtualization infrastructure. Security teams often deploy host-based intrusion detection systems (HIDS) and network segmentation to mitigate risks, but without the official patches—addressing memory corruption and remote code execution flaws—these compensating controls remain fragile.

Expert opinion: According to Dr. Aisha Patel, Senior Researcher at the Cloud Security Alliance, “Delaying critical patch deployment by even a few weeks can elevate the risk profile of an organization by orders of magnitude, especially when threat actors have published proof-of-concept exploits for VMware ESXi.”

Regulatory and Legal Implications

The delayed patch access intensifies antitrust scrutiny surrounding Broadcom’s VMware takeover. The Cloud Infrastructure Services Providers in Europe (CISPE) filed an appeal with the European General Court in July 2025, seeking annulment of the European Commission’s approval. CISPE argues the Commission failed to impose safeguards against dominance consolidation and license restriction tactics.

“Broadcom’s unilateral termination of perpetual license support, coupled with draconian audit practices, undermines competition and innovation in cloud services,” said CISPE Secretary General Marco De Renzio.

If the court finds the EC’s remedies insufficient, Broadcom could face mandatory licensing concessions or be forced to restore perpetual sales in certain markets. Meanwhile, audit letters sent to non-renewed customers threaten retrospective invoicing of tens of millions of dollars in overdue maintenance fees.

Cloud Service Provider Audit Pressure

Private cloud operators report receiving Software Usage Auditor notices demanding proof of entitlement for every VM in production. Failure to comply can incur fines calculated at 150% of the list-price maintenance cost per unlicensed socket.

Future Outlook and Recommendations

For organizations still on perpetual licenses without support contracts, immediate steps include:

• Implementing host isolation and micro-segmentation to contain potential breaches.
• Using open-source scanners (e.g., OpenSCAP, Nessus) to detect unpatched vulnerabilities.
• Exploring VMware subscription trials or third-party managed patch services to bridge the gap.

Additionally, security teams should monitor the European General Court’s hearing schedule, expected in Q4 2025, for potential rulings that might restore patch access or alter Broadcom’s licensing terms.