VMware restricts certain permanent license owners from accessing software updates
Some VMware customers, particularly those with perpetual licenses, are facing significant delays in accessing critical security patches due to changes following Broadcom's acquisition in late 2024. After the takeover, Broadcom ceased selling new perpetual licenses and shifted its focus to subscription-based models.
The access issues are tied to entitlement validation. Broadcom's support portal blocks patch downloads for customers who do not have active support contracts, even if they hold valid perpetual licenses. This creates a gap in vulnerability management for organizations that have chosen not to migrate to subscription plans.
The situation is further complicated by the disclosure of critical vulnerabilities, for which patches are inaccessible to affected customers. This delay, reported to be up to 90 days, directly increases security risks, especially in environments where VMware products are foundational.
Broadcom has acknowledged the patch access issues for customers without active support contracts. The company states that entitlement validation is causing delays but emphasizes that a separate patch delivery cycle will eventually be made available to "non-entitled customers" at a later, unspecified date. However, Broadcom has not provided a timeline for when these delayed patches will be released, nor any guarantee that the same level of immediate support will be available as for subscription customers.
The change in patch access policy has drawn criticism, particularly from public sector and enterprise customers who rely on VMware for critical infrastructure. The delay in releasing patches for non-subscription customers puts those organizations at higher risk of cyberattack. The situation has also led to legal intervention in some cases, such as in the Netherlands, where a court ordered Broadcom's VMware subsidiary to continue support for a government agency for at least two years.
In conclusion, Broadcom's restructuring of VMware's licensing and support model has inadvertently created a gap in security patch access for perpetual license holders without active support contracts, leading to delays and heightened risk. While Broadcom promises a future patch delivery mechanism for these customers, the timeline remains unclear, and in the interim, affected organizations must weigh the security risks against the costs of migrating to Broadcom's subscription offerings.
| Issue | Customers Affected | Broadcom Response | Customer Impact | |----------------------------------|----------------------------------|------------------------------------------------------|-------------------------------------| | Patch download blocked | Perpetual license, no support | Delayed "separate patch cycle" planned, date unknown | Increased security risk, frustration| | Critical vulnerabilities | All, but patches delayed for some | Immediate patches for subscribers only | Exposure to known exploits | | Transition pressure | Legacy license holders | Encouragement to move to subscriptions | Forced migration, cost concerns |
- Perpetual license holders without active support contracts are encountering delays in accessing critical security patches in cloud-based, data-and-cloud-computing technology, such as software, due to Broadcom's policy change and entitlement validation issues.
- AI-driven vulnerability management is compromised because affected customers are unable to download patches for up to 90 days, increasing security risks, particularly in environments reliant on VMware products within public sector and enterprise settings.
- Despite Broadcom's intention to provide a separate patch delivery cycle to "non-entitled customers," there is no guaranteed immediate support, and the timeline for the delayed patches remains unclear, intensifying the decision-making process for organizations weighing the risks of migrating to Broadcom's subscription service or enduring the apparent security delays with their current perpetual licenses.
