VMWare ESXi/Workstation vulnerability VMSA-2025-0004 currently being exploited in the wild - local admin on a guest can execute code on the host's VMX process
Posted by Anonymous3891@reddit | sysadmin | View on Reddit | 87 comments
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
Seems pretty nasty. Happy Tuesday!
thefinalep@reddit
Just got this from Lifecycle Manager... Will install this afternoon.
TehH4rRy@reddit
For 6.7 or 7.0+? I've got 10 hosts on 6.7 I need to patch :(
thefinalep@reddit
Seven. Haven't been on 6 for a while. Was a quick upgrade this time. Got all my hosts (only have 6) done before 5 on day of patch! no working after hours woooo
TehH4rRy@reddit
Ah fair, yeah these hosts were on their way out for ages. Broadcom support sent me the link to the download page...with the missing download button...stellar work.
Rotflmfaocopter@reddit
Did you ever get a working list? The garbage ass Broadcom support portal won't even allow me to open a ticket. It's not accepting any serial, component or prod version I enter. This is insane.
TehH4rRy@reddit
I had the support guy finally attach the bundle to the case, our account allowed me to raise a call at the least. Have you got any active support contracts on 6.7?
bit_rain@reddit
Has anyone got a CISCO Custom Patch for this vulnerability?
Fredouye@reddit
Patch is also available for ESXi 6.7, which is EOL : https://support.broadcom.com/web/ecx/solutiondetails?patchId=5774
tbrumleve@reddit
I don't see a download link on this page. Under download, where there's usually a little cloud to click, this is blank. I'm logged into my account w/ vSphere Ent+ entitlements. Anyone able to download this patch?
vondrakenstorm@reddit
I managed to get a link with a download button, but it does not work. https://support.broadcom.com/web/ecx/solutiondetails?patchId=5774
When I try to download, it loops on the loading animation
tbrumleve@reddit
I opened a ticket with VMware, non-technical (GCA), and they told me “we know” and “they’re working on it”. I asked for a direct link and they said to open a Technical ticket to get an SFTP link. Just did this in hopes I have a patch in the morning to start on my legacy clusters.
wikk3d@reddit
Did you happen to get a 6.7 download? We have a couple servers too old to migrate to 7.0, but we're still waiting on the link from Broadcom.
tbrumleve@reddit
Yes, they sent me the file via the support ticket. It should be available for all to download now. They fixed their issue on the back end.
wikk3d@reddit
Thank you!
KindlyGetMeGiftCards@reddit
I had the same issues as you yesterday, the loading animation, today the download link is missing, so they are doing something in the background, not sure if it's good or not though. If anyone gets a working link I would appreciate a heads up
Al3XRI0@reddit
I'm having the same issue. Opened a ticket with Broadcom yesterday and no response yet.
Da_SyEnTisT@reddit
Anybody got a working link ?
JoeyFromMoonway@reddit
I am also looking for it. This is absolutely unacceptable imo.
JoeyFromMoonway@reddit
Is that for everyone or extended support only?
chaoshead1894@reddit
6.7 is for „everyone“ 6.5 patches are only available with extended support.
NetAcademic9904@reddit
Yeah, I’m not seeing 6.7 download at all. Maybe I’m misremembering but could’ve sworn Broadcom weren’t going to paywall critical vulnerabilities?
We upgraded to 8 licensing recently but haven’t decommed one of the single 6.7 hosts yet.
Just got to hope someone uploads it somewhere.
PuzzleheadedRiver613@reddit
For everyone or for extended support only?
TangerineTomato666@reddit
We have recently updated to 8 upd3
To install this patch, can this be done online or is a restart of ESXi Host necessary?
MrYiff@reddit
The release notes from Broadcom do indicate that a host reboot is necessary to apply the fixes:
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u3d-release-notes.html
TangerineTomato666@reddit
thank you
tireddan@reddit
We updated our hosts from 7.0.3 update 3qs to u3s and ever since we have 1 VM where the CPU spikes and becomes unresponsive until we either reboot or vmotion to another host (thats also patched with u3s). Anyone else experiencing this? No changes on the VM and/or application recently that would explain performance issues.
czj420@reddit
No idea, but is HW rev up to date? Vmtools upto date?
Ok_Figure7074@reddit
VMtools yes, hardware no. We don’t regularly vm hardware version.
ESXI8@reddit
What about the custom ISO's like HPE? They are still showing the Feb version.
Anonymous3891@reddit (OP)
We only use the custom ISOs for the initial install and just use Lifecycle Manager to update ESXi along with the vendor add-on for whatever firmware level we're running.
GameBoiye@reddit
Can I ask how ya'll are updating the vender side of things? After 7.0 U3q they don't include the vender add-ons anymore in the default baselines and want you to manually select updates. I used to use the HPE VIBs library before VMware started including them, but now it seems I need to go back and create separate baselines.
I'd like to just create baselines that include all HPE stuff, but it sounds like they want you to hand pick drivers, which I haven't really figured out how or which ones to select.
Anonymous3891@reddit (OP)
Sounds like you're using the baselines and not images?
We switched to images last year (since they're deprecating baselines), and it's much easier to manage the vendor-specific stuff that way. There are 'Vendor Add-ons' published to VMWare's repos, and you can pick one to tack onto an image for a cluster or host and it contains the drivers and other typical utilities you'd expect. We use Cisco UCS, but HPE is in there as well as most other major vendors from what I can tell.
You can also select additional components (like async tools releases) and drivers to add. It's much like creating a baseline group but it just plain works better all around. We're still on 7.0u3 as well for most stuff, we've got just a few blades yet that are unsupported on 8 we should have out of the mix here soon so we can upgrade. All but one of our vCenters are on 8 though.
We also had issues with the cluster updating even working, the vSphere replication service would linger doing...something...on a host and the maintenance mode would timeout. I had to write a rather lengthy PowerCLI script to get updates rolling automatically.
Anyhow, I'd suggest trying out the image updating on a host or small non-prod cluster and see what you think.
TheSmJ@reddit
Did you by chance use a guide to move from baselines to images? I tried last year, but was unable to get an image the hosts wanted to use/make vcenter happy.
Anonymous3891@reddit (OP)
I did not but I have converted a couple clusters at remote sites just yesterday and it's pretty straightforward.
From the cluster update tab, select images on the left and it will give you a big button that says 'convert to image' or something along those lines. (Do note this is not reversible on that cluster once you save an image so test it first!)
Next you probably only have two options to chose, the ESXi version you want to go to, and the Vendor Addon. The latter will vary based on your hardware, and it'll have versions you can select as well (Dell and Cisco do for us, anyway, e.g. I can target our UCS firmware version, and dell has their A## revision numbers). If you do have other things you need to add, like 3rd party drivers or the Async VMTools release, you can do that here as well.
Then you save the image and now you can remediate the cluster. You can also export that image as a JSON to import for other clusters, or as an ISO to use it to build new hosts.
If your vCenter is 8 you can do this on single hosts, if it's 7 you can't for whatever reason, but you can use that ISO to make an upgrade baseline to do it. I had to do that at one site.
TheSmJ@reddit
Thanks! This is vCenter 8. I tried converting the cluster again, and now it's complaining about a lack of OSData partition, so I need to get that figured out first.
I also got a warning about a couple of plugins that aren't in the image it suggested using (from HPE), but judging by the version numbers I'm pretty sure they're left over from the vCenter 7 install these hosts were originally part of.
GameBoiye@reddit
Thanks for the info, and yes we are using baselines still.
I did not realize they were depreciating baselines. It was my understanding that if you wanted to use images, then you would use the custom ISO from HPE. But that would lead to cases like this where you'd be stuck relying on them releasing a new custom image to be able to quickly address vulnerabilities like this, since you couldn't push the patch like you could with a baseline.
MrYiff@reddit
Nope, Images will pull down the base official files and then let you add in the relevant vendor packages (assuming you have added their vmware repo's), I've been using this for our Dell servers for a couple of years now and it works fine.
It has a nice benefit of being able to warn you if one host for example didn't install a package for whatever reason so you get a useful compliance tool to confirm your cluster is installed identically.
ESXI8@reddit
I've only got a few customers with vCenter, most are stand alone hosts so I can't use the LM. Can I just upload the vmware offline bundle and run the esxcli commands on it instead of the HPE offline bundle?
Anonymous3891@reddit (OP)
I may be spoiled; I realize have yet to update a host not in vCenter. Even in my homelab I use vCenter, and in the past well...we weren't so diligent on patching :-)
I do have one we stood up for a group a devs recently I'm going to need to update with my other stragglers. I'll let you know how it goes, planning to get to it today assuming I can get the okay from the local IT staff to bring the workload down for the update.
lost_signal@reddit
There is absolutely nothing magical about that ISO that you can’t re-create using their depot and the base vanilla image.
Joshposh70@reddit
We take the line of "Always install and upgrade major versions with a custom HP image, but minor patches can be done with either or"
HP's VIBs are usually not the vulnerability; and patching doesn't remove the ones already present
secret_configuration@reddit
That's what we do as well, typically use Dell Custom ISOs as new versions become available and then apply patches to address any vulnerabilities in-between.
Achtra@reddit
Its perfectly fine to just install the security update to 2d or 3d
epsiblivion@reddit
custom iso's always take a while after the vanilla esxi update releases
TheSmJ@reddit
I'm wondering the same thing. I have to contact their support for a bad DIMM anyway so I may bring it up then.
Motor_Mad@reddit
Can this patch be applied to any 7.0u3 version like 7.0u3g without having to update vCenter? to a similar version?
Egendary@reddit
Galera como um novado aqui temos um vcenter e 2 hosts instalados com imagens customizadas, por onde eu começo para instalar essas atualizações? elas vão parar meus hosts de alguma forma?
trail-g62Bim@reddit
Has anyone had any issues lately with updates not appearing? I don't have these yet and my vcenter server still doesnt see the update from Dec.
GameBoiye@reddit
Have you checked internet access? I know ours had problems showing December, and it was because something changed that stopped vCenter from being able to connect to the VMware repos. Network team had to open additional access.
trail-g62Bim@reddit
I saw an article about that but it seems to be able to pull the repo info without issue.
bobmlord1@reddit
The download link on the support site is... unpopulated? Where Download should be it's just blank.
BmanUltima@reddit
You get a download button? It's just blank for me.
squidr@reddit
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5773
This populated fine for me?
NetAcademic9904@reddit
Normally happens when you’re not entitled. Who the hell still has a support contract for 6.7?
I recently upgraded a client from 6.7 to 8.0 but they have a single host at another site.
Broadcom Support told me to fuck off essentially.
bobmlord1@reddit
7.0 is actually what I'm trying to download. I've got every other update rollup this way with the same login.
bobmlord1@reddit
And now they're telling me I haven't had a valid contract in 2 years.
RandomLolHuman@reddit
I can't seem to find anything concrete saying it's actively being exploited in attacks. I don't doubt it though, but anyone got anything about this?
MarbinDrakon@reddit
From the advisory: https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004#are-the-vulnerabilities-being-exploited-in-the-wild
I believe they were also added to CISA's KEV list
ceantuco@reddit
ugh
neko_whippet@reddit
How come if it’s already like 8.0u3b you can just,install the patch without an updated iso no?
ceantuco@reddit
not sure. We are running 7U3P. 'R' was released in December and the custom Lenovo image was available about 1 month later.
GullibleDetective@reddit
Luckily like many of these, they already need to be in your network to threaten ya.
Doesn't mean you can rest on your Laurel's and Yanny's
imstaceysdad@reddit
Unless you're a cloud service provider. In theory, a client could be breached and this vulnerability can be leveraged to escape the VM with privileged access to ESXi.
Confident_Trade9884@reddit
The bulletin notes are a little confusing. Could someone clarify, are all versions before 8.3d build version 24585383 affected by this vulnerability?
The bulletin stats 8.0 is susceptible to this vulnerability. I would read that as 8.0 and 8.0 alone. Most vendors would say '8.3c and below' when stating impacted versions.
TronFan@reddit
its 8.0.2/8.0.3 rather than 8.2/8.3. So 8.0 covers both.
Essentially if you have something version 8 you need to patch up to 8.0.3 build 24585383 (aka 8.0 3d)
Routine_Brush6877@reddit
So glad I just decomed my last ESXi host :D
ceantuco@reddit
what did you migrate to?
Routine_Brush6877@reddit
Hyper-v. Not a huge enviornment so it was a piece of cake.
ElevenNotes@reddit
and Hyper-V has never had CVEs?
Joshposh70@reddit
Are you always this hostile, or just on Reddit?
ElevenNotes@reddit
What is hostile about asking why switching to Hyper-V avoids CVEs?
BmanUltima@reddit
I don't think that's why people are ditching Broadcom.
ElevenNotes@reddit
I recap there is a CVE on ESXi, user /u/Routine_Brush6877 said he's glad to have decomissioned his last ESXi.
What do you think this means on this context? Exactly, /u/Routine_Brush6877 is glad he is not affected by this CVE.
My comment highlights that all products have CVEs from time to time. There is no 0 CVE peoduct on a large enough time frame.
Your comment is about the takeover of VMware by Broadcom which has nothing to do with CVEs.
I hole this helps.
KarmicDeficit@reddit
You said it yourself: u/Routine_Brush6877 is glad that he’s not affected by this CVE. The fact that Hyper-V also has CVEs is irrelevant to his current happiness.
Considering the amount of drama and ill will you elicit on every subreddit you’re active in, at some point do you ask yourself if the way you communicate is the problem?
ElevenNotes@reddit
If that's the case. What's the point highlighting you are not affected except shitting on all the people who are?
bobmlord1@reddit
Are you really comparing losing a house in a wildfire to needing to install a security patch?
Routine_Brush6877@reddit
Yall need to go touch some grass. It was a throwaway, "Man, I'm glad I got rid of this before disaster struck" comment and I didn't intend to hurt your feelings. We're adults here.
Joshposh70@reddit
Because he's not saying that at all, he's saying that he's happy to have avoided this CVE.
At no point did the OP say "I'm sure glad I never have to deal with a vulnerability again because I moved to Microsoft™ Hyper-V™!"
TheBestHawksFan@reddit
That's not what he's saying. He is just happy he doesn't have to deal with this particular CVE.
ElevenNotes@reddit
Till there is the next CVE affecting Hyper-V.
TheBestHawksFan@reddit
Okay but that's not what he was saying. I don't know why you're commenting on this like this. It's odd.
ceantuco@reddit
yeah our environment is fairly small. 3 host cluster and about 30 vms.
ElevenNotes@reddit
That's a /r/homelab 😉 /s
TheBestHawksFan@reddit
I am angry.
Abracadaver14@reddit
Yep, deployed on our internal usage esx hosts this afternoon. If no funny business overnight, we'll start deployment on our customer related hosts tomorrow. About 200 to go.
DarkAlman@reddit
So much for my evening
james4765@reddit
Patch just hit the updates repo. Time for the fire drill.