VMware customers holding perpetual licenses without current support contracts are being blocked from accessing critical security patches through Broadcom’s support portal, according to a report.
The access restrictions create immediate security risks for enterprise customers, particularly as VMware has published multiple critical security advisories in 2025, including vulnerabilities that allow attackers to escape from virtual machines and execute code on host systems.
Affected perpetual licence holders have reported that they cannot download patches, with VMware support staff indicating it may take 90 days before security fixes become available through alternative channels, according to a report by The Register.
“Broadcom’s decision to restrict patch access has redrawn the boundaries of acceptable vendor behaviour,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research. “This isn’t just about patch policy — it’s about shifting software ownership norms from permanence to conditionality.”
Portal changes block access despite CEO commitment
A VMware spokesperson, quoted in the report, confirmed the access limitation, stating that “because our support portal requires validation of customer entitlements for software patches, only entitled customers have access to the patches at this time.”
The company indicated that “a separate patch delivery cycle will also be available for non-entitled customers and will follow at a later date,” but provided no specific timeline.
Internal Broadcom communications, according to The Register report, show support staff acknowledging that “recent changes to our support portal, related to entitlement checking, will cause delay in making patches available to customers with expired entitlements.”
Recent security advisories have warned of critical vulnerabilities affecting ESXi, Workstation, and Fusion. These flaws enable attackers with administrative privileges on virtual machines to execute code on host systems.
Earlier this year, VMware disclosed vulnerabilities that were actively exploited in the wild, including CVE-2025-22224 and CVE-2025-22225. CISA added these to its Known Exploited Vulnerabilities catalog.
“In an era where delayed remediation can lead to breach exposure or compliance failure, the right to patch must be decoupled from subscription status,” Gogia explained. He added that CISOs must now treat patch access as a board-level assurance issue.
Enterprise customers face subscription pressure
The security patch issue reflects broader challenges since Broadcom’s acquisition. The company eliminated perpetual licenses in favor of subscription-only pricing, with many customers reporting significant cost increases.
“In this new landscape, licensing must be treated as a live operational dependency, not a closed financial transaction,” Gogia explained.
Neil Shah, VP for research and partner at Counterpoint Research, said the situation reflects common acquisition challenges. “Acquisitions are always a double-edged sword — you get scale but sometimes disparity, discontinuity, and discontent with acquired customers sets in if goals, culture, and customer strategies are misaligned.”
Broadcom consolidated VMware’s product portfolio from approximately 200 items into subscription bundles, forcing customers into comprehensive packages that include products they don’t require.
Court ruling reframes vendor obligations
The subscription pressures and support access restrictions have prompted legal challenges. A Dutch court recently ordered Broadcom to continue providing VMware support to the Ministry of Infrastructure and Water Management (Rijkswaterstaat) for up to two years during the agency’s migration to alternative platforms.
The District Court of The Hague found that Broadcom’s refusal to provide transition support constituted a breach of “duty of care.” The court noted that the agency uses VMware to manage critical infrastructure. Failure to comply results in daily penalties of €250,000, capped at €25 million.
“The ruling sends a clear message: operational disruption caused by licence enforcement is no longer a private matter — it’s a justiciable event with reputational and financial consequences,” Gogia noted.
Shah said the ruling’s emphasis on “duty of care” and requirement for “exit support” sets a strong precedent with broad implications for “the broader enterprise software M&A landscape.”
Market response and financial impact
Beyond legal challenges, enterprise customers are taking practical steps to address Broadcom’s pricing and support changes. Telefónica Germany shifted to third-party VMware support through Spinnaker after receiving Broadcom renewal quotes five times higher than expected, the report added. AT&T filed suit over support contract changes and announced plans to migrate away from VMware.
Despite customer resistance, Broadcom reports that 87% of VMware’s top 10,000 customers have signed VMware Cloud Foundation agreements. The company reported 20% revenue growth to $15 billion in Q2 2025, with VMware contributing to 25% growth in the infrastructure software division.
However, Shah noted that Broadcom needs to “take a higher road and enable seamless onboarding and business continuity for VMware partners and customers into its ecosystem.”
Strategic implications for IT leaders
The VMware situation forces enterprise IT teams to reassess virtualization dependencies and risk tolerance. Organizations must evaluate security exposure when critical patches may be delayed by 90 days.
“Enterprises must no longer assume that perpetual licensing guarantees long-term access to updates or support,” Gogia advised. “Instead, they must embed entitlement protection clauses, including escrow-backed patch rights and enforceable continuity terms, directly into vendor contracts.”
Shah advised IT leaders to implement contractual safeguards “assessing risk in case of acquisitions, bankruptcy or SLA lapses and including special provisions for right to renegotiate or compensation with extended support for critical software.”
He also suggested working with regulatory bodies to establish protective frameworks that help mitigate such risks.
Broadcom and VMware did not immediately respond to requests for comment.
Source:: Network World