Broadcom forces VMware clients to roll back crucial updates

Broadcom's recent changes to VMware licensing agreements are causing concern among IT professionals. Reports suggest that customers are being forced to roll back security updates, potentially exposing them to previously patched vulnerabilities.
In early May 2025, VMware's parent company Broadcom began issuing cease-and-desist letters to customers with perpetual licences whose customer support had expired. These letters, according to reports verified by Ars Technica and highlighted by Comparitech in an analysis, demand that customers remove all updates made after the end of their support contracts, under threat of audits and possible litigation.
The only exception to this demand allows customers to retain updates addressing zero-day vulnerabilities, or those with a Common Vulnerability Scoring System (CVSS) score of 9.0 or higher. All other security updates must be rolled back in compliance with Broadcom's current policy.
Network administrators and IT professionals have expressed alarm at this directive's potential security and operational ramifications. According to users active on technical forums, including Reddit's /r/sysadmin, affected companies are placed in a difficult position: either remove important updates and risk security lapses, switch to more expensive subscription packages, or face the possibility of legal actions.
Comparitech's analysis described this as leaving companies in a "zero-sum game" that could jeopardise future business prospects and the security of sensitive data.
"Broadcom has effectively created a zero-sum game in which many existing customers who were grandfathered in after it purchased VMWare must now make a choice that could cost them millions and risk not only the future of their company but also the secure data that they maintain," the analysis stated.
The policy has broader cybersecurity implications because rolling back updates reintroduces known vulnerabilities into network environments. These are security flaws that cybercriminals, including ransomware groups such as those behind the notorious WannaCry attacks, have previously exploited.
"Update and security patch rollbacks are not benign. They reintroduce well-documented security flaws that cyber criminals have already learned to scan for and exploit," the analysis explained.
The security concern is that ransomware gangs may target these known vulnerabilities, exploiting them to breach companies that had already patched the flaws.
"Broadcom's efforts to force security rollbacks effectively threaten license holders with an order-of-magnitude increase in their risk of a data breach. While the company holding the license ultimately has the legal responsibility and business imperative to protect data, such actions on Broadcom's part raise serious ethical questions when businesses are forced to decrease protections and increase risk," Comparitech notes.
Beyond security, update rollbacks could negatively affect the stability of critical IT infrastructure. Many updates patch security holes and deliver performance improvements and compatibility enhancements. Reverting to previous software states may destabilise hypervisors, break integrations with backup or disaster recovery tools, and disrupt operations in environments where reliability is crucial.
"When companies are forced to revert their systems to an earlier state, it can quickly destabilise hypervisors, completely invalidate integrations with backup or DR tooling, and painfully disrupt resource scheduling for virtual workloads," Comparitech warned.
For organisations in sectors such as education, healthcare, and government, where large volumes of regulated personal or health information are managed, system failures and downtime can become significant operational and financial risks.
The sentiment among long-time VMware customers is described as betrayal and frustration.
"This is like a mafioso shaking down a shopkeeper for protection money. I swear, if they won't be reasonable on my next phone call with them, then I will make it my mission — with God as my witness — to break the land speed record for fastest total datacenter migration to Hyper-V or Proxmox or whatever and shutting off ESXi forever. I'm THAT pissed off," one IT professional commented in April 2025 on /r/sysadmin.
Comparitech's analysis suggests that Broadcom's actions put companies in a position where expensive migration to alternative platforms or subscription services may be the only safe option. However, these can be lengthy and complex processes. Many organisations may face significant costs or risks during the transition, and some may be unprepared to switch off VMware infrastructure quickly.
With Broadcom reportedly willing to take legal action against non-compliant customers, as seen in an ongoing case against Siemens, the only immediate recourse for affected companies is to fortify their IT security. Steps recommended include hardening network perimeters, isolating vulnerable systems, implementing strict access controls, enhancing monitoring and detection, regular vulnerability scanning, auditing backup systems, reducing internet-facing exposures, and establishing a rapid response plan during the migration period.
Broadcom completed its acquisition of VMware in 2023 and subsequently shifted VMware's licensing strategy. Perpetual licences for VMware products were discontinued, and new requirements pushed customers towards pricier, multi-year subscription models. In early 2024, the company also ended the availability of VMware's free ESXi hypervisor. It began restricting access to software downloads and binaries for customers without an active support-and-subscription agreement.
"Broadcom's push to change VMware's licensing strategy was terrible from a customer service and customer satisfaction standpoint, but not immediately dangerous to customers and their data. However, the company's new efforts to strong-arm perpetual license holders into pricier subscription packages by canceling or failing to allow renewals of SnS agreements push its strategy into potentially unethical realms that endanger companies and their customers," Comparitech noted in its analysis.
Comparitech plans to continue monitoring ransomware attack trends to assess whether future incidents can be traced to systems exposed through the forced rollback of security updates under Broadcom's policy.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Techday NZ

3 days ago

• Techday NZ

Broadcom launches VMware Cloud Foundation 9.0 to boost private AI

Broadcom has announced the general availability of VMware Cloud Foundation 9.0, a new version of its private cloud platform offering enhanced management for traditional, AI, and cloud-native applications. The latest iteration of VMware Cloud Foundation (VCF) is designed to provide a consistent operating model for private cloud deployments, supporting a range of environments including data centres, edge locations, and managed infrastructure from both service providers and hyperscalers. According to Broadcom, VCF 9.0 combines features commonly associated with public cloud—such as agility and scalability—with the security, performance, and governance advantages of on-premises solutions. This release comes amid a shift in cloud strategies across Australia, with many organisations re-evaluating their reliance on public cloud platforms because of concerns about security, cost management, and data governance. Broadcom's Private Cloud Outlook 2025 report indicates that 67% of enterprises in the region are planning to repatriate workloads from public to private clouds, with one third already in the process of doing so. Platform features VCF 9.0 introduces a unified platform capable of running a range of application types—traditional, cloud-native, and AI—while maintaining consistent operations and controls. The platform is aimed at accelerating innovation by providing out-of-the-box self-service and streamlined deployment options, enabling development teams to focus on applications rather than infrastructure. Cost control is addressed through tools delivering deep visibility into resource usage. These allow for improved planning, predictive management, and optimisation of cloud expenditure. Enhanced support for sovereignty and security includes improved compliance functionality, cyber resilience at scale, and fleet-level management for rapid patch deployment and updated security controls. "With this next generation of our cloud platform, VMware Cloud Foundation 9.0, we are again raising the bar for the modern private cloud by vastly simplifying the deployment, operations, and developer experience of the cloud," said Krish Prasad, Senior Vice President and General Manager, VCF Division, Broadcom. "Most enterprises are now looking to the private cloud to run both traditional mission-critical and new AI and containerized applications. VMware Cloud Foundation 9.0 is the ideal platform for running these modern applications, enabling our customers to be more innovative, efficient, resilient, and secure. We are very excited to see that customers of all sizes are embracing VCF at a rate that has exceeded even our own high expectations." Customers have highlighted the operational efficiencies provided by the latest VCF platform. Roger Joys, Principal Technology Strategy Advisor, Cloud & Data at GCI Communications, said, "VMware Cloud Foundation has enabled us to execute on our private cloud strategy by breaking down IT silos, removing technical debt, and allowing teams to shift from focusing on keeping the lights on to higher value projects that move our business forward. By delivering an 'everything as code' private cloud platform, we simply do everything faster and more securely now. Security patches are easier to implement, new applications are deployed in minutes rather than months, and services are updated and rolled out to customers in a fraction of the time. These are all benefits people only thought were possible in the public cloud. We are doing these things in our modern private cloud." Paolo Bazzica, Chief Information Officer at IPZS, described the use of VCF at the institution: "VMware Cloud Foundation is at the core of our Digital Application Platform. Using VCF, we have expanded our on prem delivery capabilities while improving operational efficiency. At IPZS, we feel that we are now on the right track to continue supporting Italy's digital transition with a modern private cloud that enables full use of our competences to deliver cloud native applications. Compared to more traditional on-prem setup, we saw a steep IT manual tasks reduction by up to 70% through automation while improving our business resilience." Additional feedback on the new platform came from Michael Heier, Head of Managed Workplace at Ratiodata, who noted, "With VMware Cloud Foundation, we can offer our customers a private cloud operating model from our own data centre. VCF offers a significantly more flexible and easier-to-manage IT infrastructure with its automation, advanced security features, dynamic networking capabilities, and comprehensive cloud management. VMware vSphere Kubernetes Service enables us to deliver a unified platform for both VM and containerized apps, while VMware Private AI allows us to securely harness AI capabilities across this infrastructure. Increased server performance and superior VM density will reduce our total number of servers, lowering power consumption and costs by an estimated 25–30%." Keith Woolley, Chief Digital and Information Officer at the University of Bristol, also commented, "Previously we had a large-scale legacy IT infrastructure that needed to evolve into something that was very agile, flexible, cost-optimized and secure. With VMware Cloud Foundation, University of Bristol has built a modern private cloud that completely revolutionizes the way we operate and deliver services to our academic community. VCF enables us to run our AI jobs. It gives us the sovereignty we were seeking. And we know there's hidden benefits in the VCF platform that we're only just starting to discover." Technological improvements VCF 9.0 introduces a redesigned architecture aimed at reducing friction between IT administrators and application teams. Features include a single user interface for private cloud operations, the Quick Start App for streamlined setup, integrated cost management, centralized identity and access controls, consolidated log management, and advanced analytics for workload monitoring and optimisation. The update includes enhanced automation options and role-based access, aiming to simplify both administration and deployment of infrastructure resources. Support for mixed workloads is expanded by allowing both virtual machines and containers to be managed using the embedded vSphere Kubernetes Service, allowing simplified operations and security policy enforcement across different types of applications. Key cost management capabilities include in-depth analytics for infrastructure forecasting, dynamic resource optimisation, and automated showback and chargeback features for tracking infrastructure spend. Security and regulatory compliance are addressed through the introduction of a SecOps dashboard and support for confidential computing features from AMD and Intel, helping organisations to deploy secure workloads across various infrastructure environments. Advanced services and ecosystem partnerships Broadcom is offering new and updated advanced services for the VCF platform, such as VMware Private AI Foundation with NVIDIA, VMware Live Recovery, VMware vDefend, VMware Data Services Manager, and Avi Load Balancer. These services address areas like enterprise AI, disaster recovery, threat detection, database as a service, and load balancing for cloud-native workloads. Industry partners have commented on the launch. Raghu Nambiar, Corporate Vice President, Silicon Design Engineering, AMD, said, "AMD and VMware continue to push the boundaries of enterprise infrastructure. The latest release of VMware Cloud Foundation 9.0 builds on our shared vision to deliver solutions with great performance, exceptional total cost of ownership, and advanced security with AMD EPYCTM processors featuring SEV-SNP. Customers can confidently and efficiently scale modern workloads—from virtualization to AI—across secure hybrid cloud environments." Brett Tanzer, Vice President, Product Management for the Azure Solutions and Ecosystem Team, stated, "Azure VMware Solution (AVS) is a fully managed VCF service that provides customers the flexibility to combine VMware Cloud Foundation private clouds with the scale and flexibility of Azure. As customers adopt the latest innovations in VMware Cloud Foundation 9.0, they will be able to take advantage of Microsoft's support for VCF license portability to extend VMware workloads to Azure as is, with minimal to no refactoring, and benefit from the continuity, scale, and fast provisioning for VMware workloads on global Azure infrastructure." Gil Shneorson, Senior Vice President, Solutions Platform, Dell Technologies, said, "As organizations face increasing demands for data security, control and scalability, they're turning to Dell Technologies to help them easily build private cloud environments. VMware Cloud Foundation 9.0 on Dell infrastructure will deliver a private cloud solution that eliminates IT silos, reduces risk and boosts operational efficiency." Nirav Mehta, Vice President, Product Management, Google Cloud, also commented: "Our strong partnership with Broadcom is key to delivering the latest VMware innovations on Google Cloud. With VMware Cloud Foundation 9.0, we're particularly excited about the unified interface for private cloud operations, which streamlines management, and the frictionless cloud consumption experience, which empowers both platform and development teams. We look forward to bringing these advanced capabilities and more to Google Cloud VMware Engine, further enabling our customers to accelerate innovation and optimize their cloud environments." Rajeev Bhardwaj, Vice President and Chief Product Officer, Private Cloud and Flex Solutions, HPE, said, "As enterprises embrace hybrid operating models, IT teams are under increasing pressure to modernize infrastructure without adding complexity or compromising on security and resilience. HPE GreenLake for VMware Cloud Foundation with VCF 9.0 will offer a co-engineered, validated solution with flexible consumption, multi-layered security and pre-integrated technology—all designed to streamline an organization's private cloud journey." Greg Ernst, CVP, Sales and Marketing Group, Intel Corporation, added, "VMware Cloud Foundation 9.0 on Intel Xeon 6 platforms brings new levels of cost optimization and advanced security to the modern private cloud. With greater hardware consolidation and Intel TDX enabling confidential computing, our mutual customers can lower total cost of ownership, enhance trust and data protection, and accelerate their AI adoption." Stuart McRae, Executive Director and General Manager, Data Storage Solutions, Lenovo ISG, commented, "Lenovo ThinkAgile VX Series, a co-engineered solution with VMware Cloud Foundation, enables enterprises to implement a hybrid cloud environment using a turnkey solution for faster deployments, seamless lifecycle management and full-stack monitoring with Lenovo XClarity. Built on trusted Lenovo servers that are reliable and secure, this workload-ready solution is tested, optimized and validated for compliance to handle various workloads, including demanding AI projects. With VCF 9.0, Lenovo will offer customers a unified platform for all applications, blending public cloud agility with on-premises security and resilience." John Fanelli, Vice President, Enterprise AI Software at NVIDIA, said, "Enterprises building AI factories need solutions for integrating AI into the heart of their operations. VMware Private AI Foundation with NVIDIA fast-tracks enterprise AI deployments with a secure, full-stack platform for building, customizing and running AI models, agents and applications."

Techday NZ

06-06-2025

• Techday NZ

Cobalt unveils platform updates to streamline pentesting workflows

Cobalt has announced a series of product enhancements within its Offensive Security Platform intended to assist customers in scaling security testing with greater clarity, automation, and control. The platform centralises access to security services provided by a team of pentesters, enabling organisations to identify and address vulnerabilities more efficiently across their environments. Features offered include faster pentest launches, real-time collaboration with testers, continuous scanning, and integration with remediation workflows. According to the company, these processes aim to support security teams in identifying critical issues and accelerating the mitigation of risks. The latest updates seek to provide customers with clearer risk prioritisation. Each finding within the platform now comes with standardised CVSS v3.1 scores alongside OWASP ratings, offering a measurable and objective understanding of vulnerability severity. Users are expected to be able to concentrate their remediation efforts on the most critical security issues first, potentially saving time and resources while maintaining their security posture. CVSS data are accessible via reports, CSV exports, the public API, and integrations. Deeper insight and increased trust in pentest results is also a focus of these enhancements. Final pentest reports now include a detailed Coverage Checklist with associated findings. This addition is designed to provide a comprehensive overview of testing scope and methodology, linking individual findings directly to test activities. This approach is intended to make it easier for users to analyse results and take appropriate action. For organisations dealing with recurring or retested vulnerabilities, workflow simplification is addressed through a new configuration option. Users can automatically associate findings carried over from previous reports with existing tracking tickets or generate new tickets for separate tracking. This is intended to save time and reduce confusion in vulnerability management processes. The process of launching a pentest has also been redesigned. The platform now provides an intuitive flow in which users can select from a range of pentest options, customise requirements - such as requesting a debrief call - and place their order in a matter of minutes. Cobalt describes this as making launching a pentest as simple as ordering a pizza, with the goal of improving the user experience and accelerating the initiation of testing. Boris Diebold, Chief Technology Officer at HeyJobs, commented, "These updates are all about delivering more impactful and efficient testing. The clearer reporting and streamlined workflows help us understand and address our security risk with more confidence and speed." Discussing the direction of the platform, Jason Lamar, SVP of Product at Cobalt, said, "These innovations mark the next chapter in the evolution of offensive security services. We're building toward a future where pentesting is continuous, deeply integrated into development workflows, and backed by data that drives real security outcomes - not just compliance. The Cobalt Platform is redefining what it means to test smarter, not harder." The enhancements are intended to make pentesting more actionable and transparent, whether an organisation is launching a test in a short timeframe, integrating insights directly into development pipelines, or supporting compliance reporting. The platform continues to prioritise usability, integration capabilities, and the timely remediation of vulnerabilities, as it serves security and development operations teams dealing with changing and emerging security threats.

Techday NZ

30-05-2025

• Techday NZ

Mirantis k0rdent unifies AI, VM & container workloads at scale

Mirantis has released updates to its k0rdent platform, introducing unified management capabilities for both containerised and virtual machine (VM) workloads aimed at supporting high-performance AI pipelines, modern microservices, and legacy applications. The new k0rdent Enterprise and k0rdent Virtualization offerings utilise a Kubernetes-native model to unify the management of AI, containerised, and VM-based workloads. By providing a single control plane, Mirantis aims to simplify operational complexity and reduce the need for multiple siloed tools when handling diverse workload requirements. k0rdent's unified infrastructure management allows organisations to manage AI services, containers, and VM workloads seamlessly within one environment. The platform leverages Kubernetes orchestration to automate the provisioning, scaling, and recovery of both containers and VMs, helping deliver consistent performance at scale. The platform also offers improved resource utilisation by automating the scheduling of computing and storage resources for various workloads through dynamic allocation. According to the company, this optimisation contributes to more efficient operations and cost control across modern and traditional application environments. Organisations can benefit from faster deployment cycles as k0rdent provides declarative infrastructure and self-service templates for containers and VMs. These features are designed to reduce delays typically associated with provisioning and deployment, allowing teams to accelerate time-to-value for projects. Enhanced portability and flexibility form a key part of the platform's approach. Workloads, including AI applications and microservices, can run alongside traditional VM-based applications on public cloud, private data centres, or hybrid infrastructure, without requiring refactoring. This capability aims to support a wide range of operational strategies and application modernisation efforts. Shaun O'Meara, Chief Technology Officer at Mirantis, stated, "Organisations are navigating a complex mix of legacy systems and emerging AI demands. k0rdent Enterprise and k0rdent Virtualization are delivering a seamless path to unified, Kubernetes-native AI infrastructure, enabling faster deployment, easier compliance, and reduced risk across any public, private, hybrid, or edge environment." With the new updates, platform engineers can define, deploy, and operate Kubernetes-based infrastructure using declarative automation, GitOps workflows, and validated templates from the Mirantis ecosystem. The solution is built on k0s, an open source CNCF Sandbox Kubernetes distribution, which Mirantis says enables streamlined infrastructure management and supports digital transformation initiatives across enterprises. k0rdent Virtualization, which operates on Mirantis k0rdent Enterprise, is positioned as an alternative to VMware tools such as vSphere, ESXi, and vRealize. This is intended to facilitate enterprises seeking to modernise application portfolios or expand edge computing infrastructure, including the integration of AI and cloud-native workloads, while retaining support for legacy infrastructure. The platform supports distributed workloads running across a variety of environments. It enables platform engineering teams to manage Kubernetes clusters at scale, build tailored internal developer platforms, and maintain compliance and operational consistency. k0rdent offers composable features through declarative automation, centralised policy enforcement, and deployment templates that can be used with Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), vSphere, and OpenStack. Mirantis provides k0rdent Enterprise and k0rdent Virtualization directly and via channel partners to meet the needs of organisations managing distributed and AI-driven workloads.