Earlier this month, Broadcom informed customers it would no longer renew support contracts for VMware products purchased on a perpetual licence basis and that support would only continue for those that moved to a VMware subscription.
Given VMware’s significant footprint in corporate IT, many organisations are facing the challenge of maintaining a secure virtualisation environment at an affordable cost. As Computer Weekly has previously reported, Broadcom has simplified the VMware product portfolio, which means several products are now bundled into VMware Cloud Foundation, driving up costs.
On 12 May, Broadcom issued security advisories relating to some of its VMware products. One – CVE-2025-22249, which affects the Aria toolset – has been flagged as critical. The other – CVE-2025-22247, which impacts VMware Tools – is classified as moderate risk.
While it has issued patches for VMware Aria 8.18.x and VMware Tools 11.x.x and 12.x.x, Broadcom has not provided any workarounds.
According to some industry experts, the lack of a workaround and access to patches for customers running perpetual VMware licences not only causes a rift between Broadcom and VMware customers, but can also be interpreted as indirect pressure from the owner of VMware to move customers onto subscription-based licensing.
In an open letter, VMware rival Platform9 pointed out that when Broadcom switched from perpetual licensing of VMware to subscription-based pricing, it assured customers that the transition would not affect customers’ ability to use their existing perpetual licences.
In the letter, Platform9 said: “This past week, that promise was broken. Many of you have reported receiving cease-and-desist orders from Broadcom regarding your use of perpetual VMware licenses. These letters demand that you remove/deinstall patches and bugfixes that you may be using.”
According to Platform9, Broadcom’s definition of “licensed support” looks to have changed. The letter notes that VMware customers with perpetual licences are only covered for “zero-day” security patches. “Regular security patches, bugfixes and minor patches can only be used if you now pay for an ongoing subscription,” Platform9 warned in the open letter.
Without access to patches, VMware customers that use third-party support for their perpetually licensed VMware products need to rely on workarounds.
Looking at the specific vulnerabilities, Iain Saunderson, chief technology officer at Spinnaker Support, said the company provided its VMware third-party support customers with an advisory within hours. “There are workarounds that we implement to disrupt possible attack chains. Our proactive and robust approach to security means we make a fix quickly available to customers that’s easier to deploy than a version upgrade or patch.”
Many vulnerabilities stem from configuration weaknesses, not outdated software or patching gaps Craig Savage, Spinnaker Support
Gabe Dimeglio, chief information security officer, senior vice-president and general manager at Rimini Protect and Watch, said: “Our threat intelligence team is actively reviewing, and our support team is assisting clients who have requested assistance. We have a 10-minute response time SLA for priority cases and we work individually with each client based on their specific use of the affected product or module within their unique environments and mitigations are tailored based on their applicable systems and configurations.”
The alert for the CVE-2025-22247 vulnerability notes that VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest virtual machine (VM) can exploit the vulnerability to tamper with the local files to trigger insecure file operations within that VM.
Rimini Street said the vulnerability allows users to exploit a flaw in VMware Tools and the alternative Open-VM-Tool to manipulate a virtual machine’s filesystem. It recommended using Open-VM-Tools over VMware Tools where feasible.
According to analysis from Rimini Street, CVE-2025-22249 pertains to a cross-site scripting (XSS) vulnerability with the VMware Aria automation tool that is typically used only by administrators to facilitate tasks, and many organisations may not be using it at all.
Craig Savage, vice-president of cyber security at Spinnaker Support, said: “A strategic approach to security involves proactive mitigation. That’s exactly what third-party providers offer. Before applying a patch, they assess how vulnerabilities impact the environment, ensuring security gaps are closed holistically. Many vulnerabilities stem from configuration weaknesses, not outdated software or patching gaps.”
According to Savage, misconfigurations like exposed vCenter instances on the internet are a far greater threat than missing a single patch. He said third-party support teams are able to perform proactive security reviews, looking at an organisation’s entire security posture. “A weak root password on vCenter isn’t fixed with a patch – it requires assessment, remediation and better security policies,” he added.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
