If your organization relies on VMware, you now have to purchase an annual subscription to keep using the hypervisor. Broadcom recently revamped VMware’s product line, making it exclusively available as a subscription, and charging based on the number of cores. While some companies, like Telefónica Germany, have found ways to stick with perpetual licenses by buying second-hand options and getting support from third parties, challenges are mounting.
A recent security alert underscores the difficulty of maintaining licensed VMware versions without upgrading. Last month, Broadcom warned about three critical zero-day vulnerabilities in key VMware products, including ESXi, Workstation, and Fusion. The worst of these vulnerabilities poses a significant risk to ESXi and Workstation but requires privileged access to exploit. This means an attacker would need to gain admin or root access to a virtual machine on an affected hypervisor, which Rapid7 pointed out might allow a chain reaction to compromise the hypervisor itself.
Broadcom stated that all versions of ESXi, vSphere, and VCF are likely affected unless they’re specifically labeled as fixed. If there’s any doubt about a system’s vulnerability, Broadcom recommends acting as if it’s compromised. They’ve even noted that these vulnerabilities have already been exploited in the wild.
For those using older versions of ESXi, Broadcom has made a patch available for ESX 6.7 through their Support Portal. Users of ESX 6.5 must rely on an extended support process to get patches. Additionally, Broadcom emphasized that products past their end of general support won’t receive updates, encouraging users on versions 6.5 and 6.7 to upgrade to vSphere 8.
To implement these patches, organizations will need to transition to a VMware subscription unless they can find second-user licenses for a supported version of vSphere. Proper management of this transition could be beneficial, particularly for organizations that can leverage the full VMware Cloud Foundation (VCF) suite and require effective solutions for both virtualization and containerization.
Holland Barry, a field CTO at DXC Technology, highlighted that businesses adapting to VMware’s new licensing models are finding ways to reduce costs and improve efficiency. Many organizations have streamlined their IT by eliminating redundant tools—like logging and microsegmentation—by integrating capabilities within the VMware Cloud Foundation model.
Bola Rotibi from CCS Insight noted that VCF is designed for interoperability, providing a reliable cloud experience for hybrid and multicloud deployments. One of VCF’s strongest features is its ability to run both virtual machines and Kubernetes-based workloads seamlessly. Many companies still rely on traditional virtual machines for legacy applications while seeking to embrace modern, cloud-native solutions. VCF allows them to do both without needing to choose one over the other.
Barry advises IT leaders to adjust their hardware to meet VMware’s new 16-core-per-CPU socket minimum for optimal performance. He emphasizes the importance of aligning memory-to-CPU ratios to ensure efficient workload operations without unnecessary overhead.
However, many IT leaders are wary about running unpatched systems, despite VMware’s established reputation for security. Third-party support provider Spinnaker Support noted that VMware customers are left to determine for themselves whether older, unsupported versions could be affected by vulnerabilities. For instance, they discovered that a patch for version 6.7 addressed features that weren’t present in version 5.5, making the risks irrelevant for users of that older version.
While Broadcom’s bundling simplifies the product lineup, it also complicates matters for users, as some patches are being released for products that many companies don’t use. Craig Savage, from Spinnaker Support, pointed out that this bundling approach makes it harder for customers to identify real security risks. With everything packaged together, distinguishing between genuine threats and irrelevant details becomes increasingly challenging.