Broadcom forces VMware clients to roll back crucial updates

Techday NZ

09-05-2025

Broadcom's recent changes to VMware licensing agreements are causing concern among IT professionals. Reports suggest that customers are being forced to roll back security updates, potentially exposing them to previously patched vulnerabilities.
In early May 2025, VMware's parent company Broadcom began issuing cease-and-desist letters to customers with perpetual licences whose customer support had expired. These letters, according to reports verified by Ars Technica and highlighted by Comparitech in an analysis, demand that customers remove all updates made after the end of their support contracts, under threat of audits and possible litigation.
The only exception to this demand allows customers to retain updates addressing zero-day vulnerabilities, or those with a Common Vulnerability Scoring System (CVSS) score of 9.0 or higher. All other security updates must be rolled back in compliance with Broadcom's current policy.
Network administrators and IT professionals have expressed alarm at this directive's potential security and operational ramifications. According to users active on technical forums, including Reddit's /r/sysadmin, affected companies are placed in a difficult position: either remove important updates and risk security lapses, switch to more expensive subscription packages, or face the possibility of legal actions.
Comparitech's analysis described this as leaving companies in a "zero-sum game" that could jeopardise future business prospects and the security of sensitive data.
"Broadcom has effectively created a zero-sum game in which many existing customers who were grandfathered in after it purchased VMWare must now make a choice that could cost them millions and risk not only the future of their company but also the secure data that they maintain," the analysis stated.
The policy has broader cybersecurity implications because rolling back updates reintroduces known vulnerabilities into network environments. These are security flaws that cybercriminals, including ransomware groups such as those behind the notorious WannaCry attacks, have previously exploited.
"Update and security patch rollbacks are not benign. They reintroduce well-documented security flaws that cyber criminals have already learned to scan for and exploit," the analysis explained.
The security concern is that ransomware gangs may target these known vulnerabilities, exploiting them to breach companies that had already patched the flaws.
"Broadcom's efforts to force security rollbacks effectively threaten license holders with an order-of-magnitude increase in their risk of a data breach. While the company holding the license ultimately has the legal responsibility and business imperative to protect data, such actions on Broadcom's part raise serious ethical questions when businesses are forced to decrease protections and increase risk," Comparitech notes.
Beyond security, update rollbacks could negatively affect the stability of critical IT infrastructure. Many updates patch security holes and deliver performance improvements and compatibility enhancements. Reverting to previous software states may destabilise hypervisors, break integrations with backup or disaster recovery tools, and disrupt operations in environments where reliability is crucial.
"When companies are forced to revert their systems to an earlier state, it can quickly destabilise hypervisors, completely invalidate integrations with backup or DR tooling, and painfully disrupt resource scheduling for virtual workloads," Comparitech warned.
For organisations in sectors such as education, healthcare, and government, where large volumes of regulated personal or health information are managed, system failures and downtime can become significant operational and financial risks.
The sentiment among long-time VMware customers is described as betrayal and frustration.
"This is like a mafioso shaking down a shopkeeper for protection money. I swear, if they won't be reasonable on my next phone call with them, then I will make it my mission — with God as my witness — to break the land speed record for fastest total datacenter migration to Hyper-V or Proxmox or whatever and shutting off ESXi forever. I'm THAT pissed off," one IT professional commented in April 2025 on /r/sysadmin.
Comparitech's analysis suggests that Broadcom's actions put companies in a position where expensive migration to alternative platforms or subscription services may be the only safe option. However, these can be lengthy and complex processes. Many organisations may face significant costs or risks during the transition, and some may be unprepared to switch off VMware infrastructure quickly.
With Broadcom reportedly willing to take legal action against non-compliant customers, as seen in an ongoing case against Siemens, the only immediate recourse for affected companies is to fortify their IT security. Steps recommended include hardening network perimeters, isolating vulnerable systems, implementing strict access controls, enhancing monitoring and detection, regular vulnerability scanning, auditing backup systems, reducing internet-facing exposures, and establishing a rapid response plan during the migration period.
Broadcom completed its acquisition of VMware in 2023 and subsequently shifted VMware's licensing strategy. Perpetual licences for VMware products were discontinued, and new requirements pushed customers towards pricier, multi-year subscription models. In early 2024, the company also ended the availability of VMware's free ESXi hypervisor. It began restricting access to software downloads and binaries for customers without an active support-and-subscription agreement.
"Broadcom's push to change VMware's licensing strategy was terrible from a customer service and customer satisfaction standpoint, but not immediately dangerous to customers and their data. However, the company's new efforts to strong-arm perpetual license holders into pricier subscription packages by canceling or failing to allow renewals of SnS agreements push its strategy into potentially unethical realms that endanger companies and their customers," Comparitech noted in its analysis.
Comparitech plans to continue monitoring ransomware attack trends to assess whether future incidents can be traced to systems exposed through the forced rollback of security updates under Broadcom's policy.