The acquisition of VMware by Broadcom has brought sweeping changes, but none as damaging as their new stance on perpetual license holders. In what seems like a deliberate cash-grab, Broadcom has now locked security updates behind an active support contract, meaning customers with perpetual licenses cannot download security patches unless they renew their contract.
This decision is alarming in light of the latest critical security vulnerabilities affecting VMware ESXi, which are actively being exploited. If you thought your perpetual license ensured access to essential updates, think again—Broadcom now forces you to pay for security.
Security at Risk: No Payment, No Protection
Broadcom recently confirmed multiple critical vulnerabilities in VMware ESXi, some with CVSS scores of 9.3, putting thousands of systems at risk:
🔴 CVE-2025-22224 (CVSS 9.3, Critical) – Allows a guest VM user with admin privileges to execute arbitrary code on the hypervisor host, leading to full system compromise.
🟠 CVE-2025-22225 (CVSS 8.2, Important) – Enables attackers to perform arbitrary kernel writes, facilitating a hypervisor escape.
🟡 CVE-2025-22226 (CVSS 7.1, Important) – Allows memory leakage from the VMX process, which could be leveraged for further attacks.
These vulnerabilities make unpatched VMware environments an easy target for ransomware operators and advanced persistent threats (APTs). However, Broadcom now refuses to provide security patches unless customers renew their contracts, even if they already own a perpetual license.
Real-Life Confirmation: Broadcom’s Shocking Support Response
To verify this policy, we engaged with Broadcom support to request a security patch for VMware ESXi 6.7. The response?
🗣 Question: How can we download the security patch for a VMware ESXi 6.7 installation with a perpetual license?
🖥 Broadcom Support Response:
“Upon further investigation, the license key contract on site ID XXXXXXX expired on 2025-01-23. In order to download the patch, the contract must be renewed. Additionally, the current license key version is on 7, so to access the 6.7 patch, the key must be downgraded accordingly.”
Translation: Even if you already paid for your VMware license, you must pay again to download security updates. Worse yet, you may need to “downgrade” your license to even qualify for patches.
The Real Impact: Broadcom’s Anti-Consumer Lockdown
VMware’s new policy has serious consequences for IT infrastructure security:
1️⃣ Essential security updates are now behind a paywall – If you don’t renew your contract, you remain vulnerable to active exploits.
2️⃣ Forced migration to newer versions – Broadcom wants businesses to move to vSphere 8, pushing them into costly and unplanned upgrades.
3️⃣ Critical security risks for enterprises – Without access to patches, thousands of businesses are now at higher risk of cyberattacks.
4️⃣ Turning perpetual licenses into forced subscriptions – What was once a one-time purchase with guaranteed security updates is now a hidden subscription model.
A Dangerous Trend in the Tech Industry
Broadcom’s decision sets a dangerous precedent for the software industry. Customers who legally purchased perpetual licenses now find themselves forced into:
✔ Paying expensive support contracts just to access basic security patches.
✖ Running unpatched and vulnerable systems, exposing themselves to ransomware and cyberattacks.
🔄 Migrating away from VMware, which is costly and time-consuming but might be the only viable option.
What Can Users Do?
If you’re impacted by this predatory policy, consider the following steps:
🔹 Explore virtualization alternatives – Proxmox VE, KVM, or Microsoft Hyper-V may be viable VMware replacements.
🔹 Pressure Broadcom & VMware publicly – Raise awareness on forums, social media, and official channels to demand a policy reversal.
🔹 Assess mitigation options – While risky, some organizations may rely on firewalls and segmentation to reduce attack exposure.
🔹 Check with resellers – Some VMware distributors may still offer access to patches without a direct Broadcom contract.
Conclusion: Pay Up or Get Hacked?
Broadcom’s blatant disregard for customer security is irresponsible and reckless. Preventing customers from downloading critical patches unless they pay extra is nothing short of extortion, especially when those vulnerabilities are already being actively exploited.
By locking security behind a paywall, Broadcom is sending a clear message:
🚨 If you don’t pay, your VMware infrastructure will remain vulnerable.
For businesses and IT professionals who rely on VMware for critical workloads, this unethical shift means it might be time to reconsider VMware altogether before Broadcom’s policies cause even more damage.
