Viruses vulnerabilities enable virtual machine escape, but without a support contract, they cannot be patched.
Broadcom has issued the security bulletin VMSA-2025-0013, revealing four critical vulnerabilities affecting VMware ESXi and VMware Tools for Windows, with CVSS scores ranging from 7.1 to 9.3. Among them are flaws that permit code execution on the hypervisor from a compromised virtual machine: the feared VM escape.
However, the most concerning aspect is not just the technical severity of the flaws, but also the business strategy enforced by Broadcom: without an active support contract, customers cannot access patches, even if they hold legally purchased perpetual licenses.
“It’s unacceptable that a critical vulnerability cannot be fixed unless you pay an additional fee. This policy turns enterprise software into a systemic risk,” warns David Carrero, cloud infrastructure expert and co-founder of Stackscale (Grupo Aire).
—
🛑 Which versions are affected?
The flaws impact multiple versions of VMware ESXi:
– ESXi 8.0: needs to be updated to ESXi80U3f-24784735 or ESXi80U2e-24789317.
– ESXi 7.0: requires updating to ESXi70U3w-24784741.
Additionally, VMware Tools on Windows systems is vulnerable to a memory disclosure flaw (CVE-2025-41239), requiring updates to:
– Tools 13.0.1.0, or
– Tools 12.5.3 (for 32-bit Windows).
Linux and macOS systems are not affected by this last vulnerability and do not require immediate Tool updates.
—
🔍 Technical analysis of critical flaws
The vulnerabilities were identified during Pwn2Own Berlin 2025:
– CVE-2025-41236 (VMXNET3): integer overflow allowing code execution on the host from the VM.
– CVE-2025-41237 (VMCI): underflow that enables out-of-bounds write.
– CVE-2025-41238 (PVSCSI): heap overflow.
– CVE-2025-41239 (vSockets): memory leak from host processes to the VM.
All require the attacker to have administrator privileges on the compromised VM and allow varying degrees of host compromise.
—
🧱 The support barrier: no contract, no updates
Broadcom has previously confirmed that:
“Only customers with an active support contract and valid licenses for the relevant version can view or download patches.”
This means users with unsupported environments, or using legacy versions without an updated support contract, have no legal right to apply patches, even if critically affected.
Access to patches is managed via Broadcom’s support portal and linked to registered site licenses. If the exact version is not present, access is denied.
“It’s a very dangerous precedent for corporate cybersecurity. If a company cannot apply a critical patch due to commercial reasons, the provider’s responsibility is clear,” Carrero states.
—
⚙️ Implications for system administrators
1. VMware ESXi must be updated to the appropriate corrected version.
2. VMware Tools on Windows machines must be manually updated (not available via Windows Update or included in the ESXi base image).
3. No alternative solutions or mitigations are available.
4. Updating vCenter is not necessary, but compatibility should be verified before applying patches.
5. Live Patch only works in environments with vSphere Foundation 9.0 and is not supported on hosts with active TPM.
6. Clients with outdated environments (vSphere 6.5/6.7) must upgrade to vSphere 7 or 8 with extended support to patch effectively.
—
✅ Recommendations
– Immediately audit the installed ESXi and VMware Tools versions.
– Check if active support exists and if the affected version is eligible for patches.
– Plan urgent migrations or support renewals to access updates.
– Develop a contingency plan if patching isn’t possible (reduce attack vectors, segment networks, isolate systems).
– For critical infrastructure, consider transitioning to hypervisors with better patching policies (Proxmox, KVM, Nutanix CE…).
—
📌 Conclusion
The release of VMSA-2025-0013 not only highlights the technical vulnerabilities in ESXi and VMware Tools but also the new commercial reality imposed by Broadcom: cybersecurity becomes a privilege, not a shared responsibility.
Carrero clearly summarizes:
“With policies like these, Broadcom is prompting many administrators to rethink their loyalty to VMware. Digital sovereignty also starts with being able to protect your infrastructure without abusive conditions.”