I swear I’m not picking on them. Some customers of Broadcom’s VMware division are currently unable to access essential security patches, which increases the risk of cyberattacks on their systems. Users with perpetual licenses who do not have an active support contract are especially affected, as Broadcom has not been renewing these contracts unless customers switch to software subscriptions. In April 2024, Broadcom’s CEO Hock Tan assured customers they would have free access to zero-day security patches for supported versions of VMware’s vSphere. However, users have reported difficulties accessing these patches through the support portal, with some stating there could be delays of up to 90 days before fixes are available. A VMware spokesperson confirmed that only entitled customers can currently access the patches, raising concerns since attackers are known to target VMware systems. In 2025, VMware issued eleven security advisories highlighting critical flaws that could enable attackers to run code on host machines.
VMware has announced a significant change in its development strategy, shifting from a two-year release cycle to a more deliberate three-year schedule while extending support durations for its products. This adjustment responds to growing pressure from enterprises facing steep licensing cost increases and upgrade fatigue, especially after Broadcom’s acquisition of VMware. The new approach for VMware Cloud Foundation version 9.0 will now provide six years of support, with minor releases every nine months instead of six. According to Sanchit Vir Gogia, chief analyst at Greyhound Research, Chief Information Officers see the current 24-36 month period as crucial for platform strategy decisions, as they navigate substantial cost increases that can reach up to 500 percent. The longer timelines and revised support model aim to offer enterprises more flexibility and predictability in their technology planning.
Why do we care?
Broadcom’s back at it again—this time, by blocking access to critical VMware security patches unless customers pony up for subscriptions. Even though Hock Tan promised free zero-day patches last year, turns out that doesn’t help if you can’t download them without a current support contract. And customers with perpetual licenses? You’re out of luck.
This is a huge problem. If you’re an MSP managing VMware workloads, you now have clients running vulnerable systems that you can’t patch—unless you push them into new licensing. That’s not service delivery—that’s hostage negotiation.
And sure, they’ve slowed the release cycle to three years with longer support windows. But that’s just window dressing. The real issue is trust—VMware used to be boring in a good way. Now, it’s anything but.
This isn’t just a pricing issue—it’s a liability. If you haven’t already started evaluating exit strategies from VMware, ask yourself, why not?