Since the acquisition of VMware by Broadcom, the situation for customers with perpetual licenses has changed dramatically. What was once a predictable business model, in which a company could pay once for a license and receive essential security updates, has now become a corporate trap. If you don’t have an active support contract, you cannot download security patches, even for critical vulnerabilities.
Security at Risk: If You Don’t Pay, You’re Not Protected
This policy change is particularly alarming considering the recent critical security vulnerabilities discovered in VMware ESXi. As we previously reported, Broadcom confirmed several security flaws in March 2025, some of which are already being actively exploited by attackers:
🔴 CVE-2025-22224 (CVSS 9.3, Critical) – Allows an attacker with access to a virtual machine to execute code on the host hypervisor.
🟠 CVE-2025-22225 (CVSS 8.2, Important) – Enables arbitrary write access to the kernel, which could lead to escaping the virtualized environment.
🟡 CVE-2025-22226 (CVSS 7.1, Important) – Memory leak from the ESXi VMX process, which can be used in advanced attacks.
Any of these vulnerabilities poses an imminent risk to virtualized infrastructures, as they could allow for ransomware execution or unauthorized access to the system. However, Broadcom has decided to restrict access to security patches, requiring customers with perpetual licenses to renew their support contracts before they can download them.
Real Testimony: Broadcom’s Response
To confirm this issue, we attempted to obtain the security patch for an installation of VMware ESXi 6.7, a widely used version in companies that, although outdated, is still functional. The result was the following exchange with Broadcom support:
🗣 Question: How can we download the security patch for a VMware ESXi 6.7 installation with a perpetual license?
🖥 Response from the Broadcom agent:
“Upon further investigation, the license key contract for site ID XXXXXXX expired on January 23, 2025. To download the patch, the license key contract needs to be renewed. Additionally, the current version of the license key is at 7, so for future renewals, the key must be downgraded to version 6 in order to download the 6.7 patch.”
In other words, even if a customer has paid for a perpetual license, they cannot download security patches without an active contract. In this case, renewing the contract isn’t even enough: they have to make a special request to “downgrade” the license to an earlier version.
What Does This Change Imply?
What Broadcom is doing with VMware sets a dangerous precedent in the business software sector. Here are some of the most alarming consequences:
1️⃣ Blocking Essential Updates: If you have a perpetual version, you cannot protect your infrastructure without paying an additional contract.
2️⃣ Forced Push to Newer Versions: Broadcom wants everyone to migrate to vSphere 8, pushing companies to upgrade that they may not be prepared for.
3️⃣ Cybersecurity Risk: Without security patches, older versions remain exposed to attacks, increasing risks for companies and their data.
4️⃣ Abusive Business Model: Previously, a perpetual license guaranteed access to security fixes. Now, Broadcom has turned it into a disguised subscription model, eliminating the option to operate secure software without ongoing payments.
A Bad Precedent for the Industry
The case of VMware is a clear example of how the monopolization and acquisition of tech companies can harm customers. Businesses and system administrators who relied on VMware for their infrastructure now face a tough choice:
✔ Pay expensive contracts to access basic security patches.
✖ Continue using vulnerable software, exposing their data and systems to attacks.
🔄 Migrate to another virtualization provider, which incurs high costs in time and resources.
What Can Users Do?
If you are one of those affected by this new policy from Broadcom, consider these options:
🔹 Explore virtualization alternatives: Options like Proxmox VE, KVM, or even Microsoft Hyper-V may be viable depending on your environment.
🔹 Pressure Broadcom and VMware: Publicly raise the issue in forums, social media, and support channels. The more pressure there is, the more likely the company is to reconsider its policy.
🔹 Assess the impact of not updating: While it poses a security risk, some organizations can partially mitigate issues with firewalls and network segmentation.
🔹 Contact distributors and suppliers: In some cases, license distributors may have options to access patches without a direct contract with Broadcom.
Conclusion
The shift VMware has undergone under Broadcom challenges businesses that relied on its perpetual licensing model. Blocking access to security patches is irresponsible and dangerous, especially with critical vulnerabilities already exploited by attackers.
Broadcom has turned its customers’ security into a commodity, forcing them to pay for what was once a basic right for any business software user. In a world where cyber threats are growing every day, this decision could jeopardize thousands of companies and organizations that depend on VMware.
If VMware and Broadcom do not reverse this policy, the message is clear: it’s time to seek alternatives before it’s too late.