Some VMware perpetual license holders are currently unable to download security patches, The Register reported today. The virtualization company has only said that these users will receive the patches at “a later date,” meaning users are uncertain how long their virtualization environments will be at risk.
Since Broadcom bought VMware and ended perpetual license sales in favor of bundled subscription-based SKUs, some organizations have opted against signing up for a subscription and are running VMware without a support contract. These users are still supposed to have access to zero-day security patches. However, some customers reported to The Register that they have been unable to download VMware patches from Broadcom’s support portal.
VMware customer service has told some of these customers that they may have to wait 90 days before they can download the patches, The Register reported.
On July 15, VMware disclosed three critical flaws in eight of its offerings.
When reached for comment, a Broadcom spokesperson told Ars Technica:
Nothing has changed in Broadcom’s commitment regarding critical VMware security patches. Users of legacy VMware products who no longer have active maintenance and support entitlements will have free access to critical security patches for as long as those products remain supported by Broadcom. This includes the patches for critical vulnerabilities addressed in VMware Security Advisory 2025-0013 [issued on July 15]. Because our support portal requires validation of customer entitlements for software patches, only entitled customers have access to the patches at this time.
VMware’s rep told Ars that affected customers will receive the patches “at a later date” via “a separate patch delivery cycle” but didn’t specify when, bringing uncertainty to the security risk facing these users. Broadcom’s rep declined to specify how many users are affected.
Broadcom says the delayed security patches are related to portal limitations, but the chipmaker has otherwise put pressure on perpetual license holders without support contracts by sending them audit letters.
Broadcom’s VMware acquisition scrutinized again
News of security patches being delayed for perpetual license owners comes as the Cloud Infrastructure Services Providers in Europe (CISPE) trade association has filed an appeal to the European General Court challenging the European Commission’s (EC’s) approval of Broadcom’s VMware acquisition. In its announcement of today’s filing, the CISPE said it “is seeking an annulment of the Commission’s approval of that deal.”
