Broadcom’s restrictive policy leaves unlicensed admins exposed despite high-severity ESXi flaws
Broadcom has issued VMSA-2025-0013, a critical VMware security advisory disclosing four severe vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Tools. All carry CVSSv3 base scores ranging from 6.2 to 9.3, and at least three can enable VM escape scenarios via guest-to-host code execution.
However, access to security patches is restricted to customers with valid Broadcom support contracts. Without an active entitlement, even perpetual license holders cannot download or apply any of the fixed builds, a move sharply criticized by infrastructure professionals and industry observers.
🚨 Technical Summary of CVEs
| CVE ID | Component | Type | CVSS | Attack Vector |
|---|---|---|---|---|
| CVE-2025-41236 | VMXNET3 | Integer Overflow | 9.3 | Guest admin → Host RCE |
| CVE-2025-41237 | VMCI | Integer Underflow → OOB Write | 9.3 | Guest admin → VMX process |
| CVE-2025-41238 | PVSCSI | Heap Overflow | 9.3 | Guest admin → VMX process |
| CVE-2025-41239 | vSockets | Memory Disclosure | 7.1 | Guest admin → Host info leak |
All flaws were responsibly disclosed through Pwn2Own Berlin 2025, and patches are now available — but only through entitled accounts with matching version licenses.
🔒 “No Contract, No Patch” Policy Draws Ire
System administrators attempting to secure legacy or unsupported deployments will hit a hard wall: Broadcom does not allow patch downloads unless the entitled site ID includes the specific affected version. This applies even to minor updates — without license upgrades, you are blocked.
David Carrero, co-founder of European cloud provider Stackscale (Grupo Aire), warns:
“Tying critical security updates to paid support contracts is reckless. It undermines trust and leaves infrastructures exposed by design. Many enterprises own legitimate perpetual licenses yet are denied patches. This is a major breach of best practices in vulnerability disclosure and responsible vendor behavior.”
🛠️ Recommendations for System Administrators
✅ Patch Priority:
- Update to fixed builds immediately if under support:
- ESXi 8.0 →
ESXi80U3f-24784735orESXi80U2e-24789317 - ESXi 7.0 →
ESXi70U3w-24784741 - Workstation Pro 17.x →
v17.6.4 - Fusion 13.x →
v13.6.4 - VMware Tools (Windows) →
v13.0.1.0or12.5.3(32-bit)
- ESXi 8.0 →
⚙️ Environment Impact:
- All CVEs are locally exploitable from within a VM with administrative rights.
- May allow:
- Hypervisor-level code execution
- Host compromise from guest
- Sensitive memory leakage via uninitialized buffers
🔄 No Workarounds Available
- Broadcom confirms no mitigation or workarounds are available.
- Patching is the only way to prevent potential compromise.
🧠 Special Notes:
- VMware Tools must be updated separately, not bundled with ESXi.
- Tools patches are not available via Windows Update — must be manually distributed.
- Live Patch is only supported on vSphere Foundation 9.0.
- Non-TPM hosts required for Live Patching in vSphere 9.x.
- vCenter Server is not affected, but ensure compatibility before upgrading ESXi.
⚠️ Licensing Barrier = Operational Risk
For admins in production environments with no current support contract:
- Access to all patch versions is locked
- Broadcom states: “You must hold a license key of the same version to view and download patches.”
This restriction severely hinders emergency remediation in:
- End-of-life versions (e.g., vSphere 6.5/6.7)
- Non-upgraded perpetual license deployments
- Mixed or hybrid VMware infrastructures
Carrero concludes:
“Security patches should never be gated behind a paywall. If Broadcom continues this path, CIOs and CISOs must rethink their reliance on VMware and evaluate open-source or vendor-agnostic virtualization solutions.”
🧭 Strategic Recommendations
- Audit your support status and entitlement versions.
- Plan for full version upgrade if patch is inaccessible.
- Migrate critical workloads to supported platforms or vendors.
- Review exposure of vNICs (VMXNET3), VMCI, and PVSCSI in templates.
- Prepare for asynchronous VMware Tools distribution via Lifecycle Manager.
