Some VMware perpetual license holders are currently unable to download security patches, The Register reported today. The virtualization company has only said that these users will receive the patches at “a later date,” meaning users are uncertain how long their virtualization environments will be at risk.
Since Broadcom bought VMware and ended perpetual license sales in favor of bundled subscription-based SKUs, some organizations have opted against signing up for a subscription and are running VMware without a support contract. These users are still supposed to have access to zero-day security patches. However, some customers reported to The Register that they have been unable to download VMware patches from Broadcom’s support portal.
VMware customer service has told some of these customers that they may have to wait 90 days before they can download the patches, The Register reported.
On July 15, VMware disclosed three critical flaws in eight of its offerings.
When reached for comment, a Broadcom spokesperson told Ars Technica:
Nothing has changed in Broadcom's commitment regarding critical VMware security patches. Users of legacy VMware products who no longer have active maintenance and support entitlements will have free access to critical security patches for as long as those products remain supported by Broadcom. This includes the patches for critical vulnerabilities addressed in VMware Security Advisory 2025-0013 [issued on July 15]. Because our support portal requires validation of customer entitlements for software patches, only entitled customers have access to the patches at this time.
VMware’s rep told Ars that affected customers will receive the patches “at a later date” via “a separate patch delivery cycle” but didn’t specify when, bringing uncertainty to the security risk facing these users. Broadcom's rep declined to specify how many users are affected.
Broadcom says the delayed security patches are related to portal limitations, but the chipmaker has otherwise put pressure on perpetual license holders without support contracts by sending them audit letters.
Broadcom’s VMware acquisition scrutinized again
News of security patches being delayed for perpetual license owners comes as the Cloud Infrastructure Services Providers in Europe (CISPE) trade association has filed an appeal to the European General Court challenging the European Commission’s (EC's) approval of Broadcom's VMware acquisition. In its announcement of today's filing, the CISPE said it "is seeking an annulment of the Commission’s approval of that deal."
The trade group argues that the EC didn’t enact any regulations that would “prevent a concentration of dominance or to mitigate the potential abuse of such a position.”
Others have been critical of the EC’s investigation of Broadcom's VMware buy before. The investigation largely focused on Broadcom’s potential to restrict competition by making third-party hardware components incompatible with VMware software. Some argued, however, that such a move would be more detrimental to Broadcom’s VMware business than to its competitors. The EC felt the acquisition led to higher prices but, arguably, placed little emphasis on the possibility of Broadcom increasing VMware prices, something that Broadcom indirectly did by bundling products and ending perpetual license sales and that CEO Hock Tan, pre-acquisition, denied would happen.
CISPE’s announcement today said:
Since finalizing the acquisition, Broadcom has unilaterally terminated existing contracts – often with only weeks’ notice – and imposed onerous new licensing conditions. These include drastic cost increases (sometimes exceeding tenfold) and mandatory multi-year commitments for access to essential VMware software.
CISPE also pointed to VMware recently axing smaller cloud partners from its VMware channel program as an example of Broadcom's "unfair software licensing practices."
When reached for comment, a Broadcom spokesperson told Ars Technica:
Broadcom strongly disagrees with these allegations. The European Commission, along with 12 other jurisdictions around the world, approved our acquisition of VMware following a thorough merger review process, and we will uphold the commitments made to the Commission at that time. We continue to bring our customers better choices and solutions to address their most complex technology challenges.
A reversal of the $61 billion acquisition is unlikely, but CISPE could pressure Broadcom to offer more favorable business terms to partners, especially cloud service providers in Europe. Broadcom recently cut members of the lowest tier of the VMware partner program in all of its geographies except for Europe, The Register pointed out.
The European General Court is expected to hold a hearing on whether the EC's approval should be reexamined.
Amazon Has the Best Deal on the New Samsung Galaxy Z Fold 7 Ahead of Its Release