Earlier this month, Broadcom told customers it won’t renew support contracts for VMware products bought on a perpetual license. Support will only be available for those who switch to VMware subscriptions.
VMware plays a huge role in corporate IT, and businesses are struggling to maintain secure virtualization environments without breaking the bank. Broadcom has streamlined VMware’s product lineup, bundling many tools into VMware Cloud Foundation, which raises costs.
On May 12, Broadcom released security advisories for some VMware products. One critical issue, CVE-2025-22249, affects the Aria toolset, while CVE-2025-22247, concerning VMware Tools, is deemed a moderate risk. Although Broadcom has put out patches for VMware Aria 8.18.x and VMware Tools 11.x.x and 12.x.x, it hasn’t offered any workarounds.
Experts argue this lack of support creates tension between Broadcom and VMware customers and appears to push users toward subscription models. Platform9, a rival to VMware, publicly stated that when Broadcom transitioned to subscriptions, it promised that customers could still use their existing perpetual licenses. Recent reports of cease-and-desist letters from Broadcom demanding the removal of patches contradict that promise.
Platform9 highlighted that under Broadcom’s current interpretation, VMware customers with perpetual licenses only get zero-day security patches. Regular security updates and bug fixes require an ongoing subscription, which raises the stakes for these organizations.
Without access to patches, customers turning to third-party support for their perpetual licenses must find alternative solutions. Iain Saunderson, CTO at Spinnaker Support, mentioned that his company quickly notified clients about potential workarounds to counter possible exploits. Their approach is to provide fixes that are easier to implement than standard updates.
Gabe Dimeglio, CISO at Rimini Protect and Watch, said they’ve established a 10-minute response time SLA for critical cases. Their support team collaborates closely with clients to tailor mitigations based on specific system configurations.
The vulnerability CVE-2025-22247 presents a file handling risk. A malicious actor with limited access to a guest VM could exploit this vulnerability to tamper with local files, creating security issues. Rimini Street highlighted the risk in VMware Tools and recommends switching to Open-VM-Tools where possible.
The more critical CVE-2025-22249 relates to a cross-site scripting vulnerability in the VMware Aria automation tool, which many firms may not even use regularly.
Craig Savage, VP of Cyber Security at Spinnaker Support, emphasized the importance of proactive security measures. He noted that third-party providers can evaluate how vulnerabilities affect environments before applying patches, ensuring comprehensive security. Many vulnerabilities arise from configuration errors rather than outdated software.
Savage pointed out that issues like weak passwords on vCenter systems pose a bigger threat than missing patches. Third-party support teams can conduct thorough security reviews to address organizational weaknesses effectively.