Earlier this month, Broadcom informed customers it would no longer renew support contracts for VMware products purchased on a perpetual licence basis and that support would only continue for those that moved to a VMware subscription.
Given VMware’s significant footprint in corporate IT, many organisations are facing the challenge of maintaining a secure virtualisation environment at an affordable cost. As Computer Weekly has previously reported, Broadcom has simplified the VMware product portfolio, which means several products are now bundled into VMware Cloud Foundation, driving up costs.
On 12 May, Broadcom issued security advisories relating to some of its VMware products. One – CVE-2025-22249, which affects the Aria toolset – has been flagged as critical. The other – CVE-2025-22247, which impacts VMware Tools – is classified as moderate risk.
While it has issued patches for VMware Aria 8.18.x and VMware Tools 11.x.x and 12.x.x, Broadcom has not provided any workarounds.
According to some industry experts, the lack of a workaround and access to patches for customers running perpetual VMware licences not only causes a rift between Broadcom and VMware customers, but can also be interpreted as indirect pressure from the owner of VMware to move customers onto subscription-based licensing.
In an open letter, VMware rival Platform9 pointed out that when Broadcom switched from perpetual licensing of VMware to subscription-based pricing, it assured customers that the transition would not affect customers’ ability to use their existing perpetual licences.
In the letter, Platform9 said: “This past week, that promise was broken. Many of you have reported receiving cease-and-desist orders from Broadcom regarding your use of perpetual VMware licences. These letters demand that you remove/deinstall patches and bug fixes that you may be using.”
According to Platform9, Broadcom’s definition of “licensed support” looks to have changed. The letter notes that VMware customers with perpetual licences are only covered for “zero-day” security patches. “Regular security patches, bug fixes and minor patches can only be used if you now pay for an ongoing subscription,” Platform9 warned in the open letter.
Without access to patches, VMware customers that decide to use third-party support for their perpetually licensed VMware products need to rely on workarounds.
Looking at the specific vulnerabilities, Iain Saunderson, chief technology officer at Spinnaker Support, said the company provided its VMware third-party support customers with an advisory within hours of the announcement. “There are workarounds that we implement to disrupt possible attack chains. Our proactive and robust approach to security means we make a fix quickly available to customers that’s easier to deploy than a version upgrade or patch.”
Gabe Dimeglio, chief information security officer, senior vice-president and general manager for Rimini Protect and Watch, said: “Our threat intelligence team is actively reviewing, and our support team is assisting clients who have requested assistance. We have a 10-minute response time SLA for priority cases, we work individually with each client based on their specific use of the affected product or module within their unique environments, and mitigations are tailored based on their applicable systems and configurations.”
The alert for the CVE-2025-22247 vulnerability notes that VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest virtual machine (VM) can exploit the vulnerability to tamper with the local files to trigger insecure file operations within that VM.
Rimini Street said the vulnerability allows users to exploit a flaw in VMware Tools and the alternative Open-VM-Tool to manipulate a virtual machine’s filesystem. It recommends using Open-VM-Tools over VMware Tools where feasible.
According to analysis from Rimini Street, CVE-2025-22249 pertains to a cross-site scripting (XSS) vulnerability with the VMware Aria automation tool that is typically used only by administrators to facilitate tasks, and many organisations may not be using it at all.
Craig Savage, vice-president of cyber security at Spinnaker Support, said: “A strategic approach to security involves proactive mitigation. That’s exactly what third-party providers offer. Before applying a patch, they assess how vulnerabilities impact the environment, ensuring security gaps are closed holistically. Many vulnerabilities stem from configuration weaknesses, not outdated software or patching gaps.”
According to Savage, misconfigurations like exposed vCenter instances on the internet are a far greater threat than missing a single patch. He said third-party support teams are able to perform proactive security reviews, looking at an organisation’s entire security posture. “A weak root password on vCenter isn’t fixed with a patch – it requires assessment, remediation and better security policies,” he added.
