Earlier this month, broadcom informed customers it would no longer renew support contracts for vmware products purchased on a perpetual license base and that Support WOLLD ONLY FORLD ON Moved to a vmware subscription.
Given vmware's significant footprint in corporate it, many organisations are facing the challenge of Mainting a secure virtualization environment at an affordable cost. As computer weekly has previously reported, broadom has simplified the vmware product portfolio, which means several products are no bundled into vmware cloud fence
On 12 May, Broadcom Issured Security Advisories Relating to some of its vmware products. One-CVE-2025-22249, which affects the aria toolset-has been flagged as critical. The other-cve-2025-22247, which impacts vmware tools-is classified as moderate risk.
While it has issued patches for vmware aria 8.18.x and vmware tools 11.xx and 12.xx, broadom has not provided any workarounds.
According to some industry experts, the lacke of a workaround and access to patches for customers running perpetual vmware licenses not only causes a rift hai Also be interpreted as indirect pressure from the owner of vmware to move customers onto subscription-based licensing.
In an open letter, vmware rival platform9 pointed out that when broadcom switched from perpetual licensing of vmware to subscription-based pricing, it assured customers that is the tranques Affect Customers' Ability to use their existing perpetual licenses.
In the letter, platform9 said: “This past week, that promise was broken. My have received receiving received receiving sease-desist Orders from Broadcom Regarding your use. Demand that you remove/deinstall patches and bug fixes that you may be using. “
According to Platform9, Broadcom's definition of “Licensed support” looks to have changed. The letter notes that vmware customers with perpetual licenses are only covered for “zero-day” security patches. “Regular security Patches, Bug Fixes and Minor Patches can only be used if you now pay for an ongoing subscription,” platform9 warned in the open letter.
Without access to patches, vmware customers that decide to use Third-party support For their perpetually licensed vmware products need to relay on workerounds.
Looking at the Specific Vulnerabilityes, Iain Saunderson, Chief Technology Officer at Spinnaker Support, Said the Company Provided Its VMware Third-Party Support Customers With an advisory within hours of the announsement. “There are workarounds that we implement to disrupt posible attacques. Than a version upgrade or pach. “
Gabe Dimeglio, Chief Information Security Officer, Senior Vice-PRESIDENT and General Manager for Rimini Protect and Watch, Said: “Our Threat Intelligence Team is activly reviewing, and Oour Support Tiem is Assisting Clients Who have Requested Assistance. Product or module within their unique environments, and mitigations are tailored based on their applicable systems and configurations. “
The alert for the cve-2025-22247 vulnerability notes that vmware tools contains an insecure file handling vulnerability. A MALICIOUS Actor with Non-Edminist Privileges on a Guest Virtual Machine (VM) Can exploit the Vulnerability to Tamper with the Local Files to Trigger Insecure Files to Trigger File Operations with the VM.
Rimini street said the vulnerability allows users to exploit a flw in vmware tools and the alternative open-vm-tool to manipulate a virtual machine's filesystem. It recommends using open-VM-tools over vmware tools where feasible.
According to analysis from rimini street, cve-2025-22249 Pertains to a Cross-Site Scripting (XSS) Vulnerability with the Vmware Automation tool that is typical To facilitate tasks, and many organisations may not be using it at all.
Craig Savage, Vice-President of Cyber Security at Spinnaker Support, Said: “A strategic approach to security involves proactive mitigation. Applying a Patch, They Assess How Vulnerabilitys Impact The Environment, ENSURING SECURITY GAPS ARE Closed Holistically. Patching gaps. ”
According to save, misconfigurations like exposed vcenter instals on the internet are a far greenrhat than a single patch. He Said Third-Parthy Support Teams are able to perform Proactive Security Reviews, Looking at an Organization's Entre Security Posture. “A Weak Root Password on VCenter isn Bollywood with a Patch – It requires Assessment, Remedies and Better Security Policies,” He Added.