VMSA2025-0004 – vSphere 6.7, 7.x 8.x

When you are reading this, hopefully you have patched your environment against [VMSA2025-0004], which has a critical severity and a CVSSv3 range from 7.1-9.3.

If you have read the security advisory, you have seen that patches have been made available for several ESXi versions. Even with an expired contract, you are allowed to download and install patches that fix a critical security issue. See Broadcom [KB314603] – Zero Day (i.e., Critical) Security Patches for vSphere (7.x and 8.x) Perpetual License Customers with Expired Support Contracts.

Based on this KB, this means that you are allowed to install the below versions of vCenter and ESXi (at the moment of writing this blog)

vCenter buildnumbers [KB2148380]

Release name	Version	Release Date	Based on	Download
vCenter Server 8.0 Update 3d	8.0.3.00400	21-10-2024	VMSA-2024-0019	link
vCenter Server 8.0 Update 2e	8.0.2.00500	21-10-2024	VMSA-2024-0019	link
vCenter Server 7.0 Update 3t	7.0.3.02200	21-10-2024	VMSA-2024-0019	link
vCenter Server 6.7 Update 3w	6.7.0.58000	28-10-2024	VMSA-2024-0019	link

ESXi buildnumbers [KB2143832]

Release Name	Version	Release Date	Based on	Download
ESXi 8.0 U3d	8.0U3d – 24585383	04-03-2025	VMSA2025-0004	link
ESXi 8.0 U2d	8.0U2d – 24585300	04-03-2025	VMSA2025-0004	link
ESXi 7.0 U3s	7.0U3s – 24585291	04-03-2025	VMSA2025-0004	link
ESXi670-202503001	ESXi670-202503001	04-03-2025	VMSA2025-0004	link

Note that for ESXi, these are all patch releases, so there is no ISO file available. More on that later in this blog.

One interesting question that came up from a customer was the (in)ability to download the patch. As described in the VMSA2025-0004 [FAQ] you must have a license for the corresponding product/version to be able to download the patch. So lets say your environment is running ESXi 7.0U3 and you have already upgraded your licenses to ESXi 8 in the Broadcom portal. In that case you cannot download the patch for version 7 and you have to downgrade your license(s). If you are on an expired contract, the up- or downgrade of licenses is not possible.

Another interesting question that came up with some customers is the back-in-time upgrade challenge you may remember from previous upgrade paths and are described in these KBs:

[KB312157] – vCenter Server Back-in-time release upgrade restriction
[KB312160] – vSphere ESXi Back-in-time release upgrade restriction

As you can see, these KBs are no longer maintained and you are redirected to the Product Interoperability Matrix website for [interoperability] and [upgrades]. Here you can see (mind to uncheck the Hide Legacy and Patch Releases) that it is supported to upgrade to vCenter / ESXi 8.0u3d from some really old releases up until 6.7 (Yes there may be some other challenges involved 😊). Also from here it seems there are no back in time upgrade issues when going from the latest ESXi 7.0u3s to 8.0u3d, even though they have the same release date.

I decided to test some of these upgrade paths to see how it would look like to upgrade from a semi-old vSphere 7 environment to the latest vSphere 8 version. Mind you that this is executed in a plain and simple test environment, without any workloads, so yes, in your production environment there can be quite some other challenges.

My starting environment is a fresh deployment of:

vCenter 7.0U3t – 7.0.3.02200 (latest release)
ESXi 7.0U3n (latest downloadable ISO release available).

As a substep, I upgraded ESXi to version 7.0U3q (P09) with VUM Baselines.

Then upgraded to the latest available ESXi version 7.0U3s with VUM baselines

From an ESXi 7 security patch perspective we are good

I now upgraded vCenter from 7.0U3t (latest) to the latest available vCenter 8.0U3d, both from the same release date. No issues were seen during this upgrade.

Finally, I decided to upgrade ESXi to 8.0U3d which became interesting. I tried 3 different options:

ESXi 8.0U3d patch baseline
ESXi 8.0U3d upgrade + patch baseline group
Custom ESXi 8.0U3d ISO Baseline

ESXi 8.0U3d patch baseline

Against better judgement, I imported the ESXi 8.0U3d patch, created a single VUM baseline containing the patch and attached it to the cluster. Obviously this doesn’t work. The Updates overview screen in vCenter looks a bit weird, showing the status as compliant (which it is obviously not). So it is not possible to upgrade this way.

ESXi 8.0U3d upgrade and patch baseline group

ESXi 8.0U3d is a patch release, so there is no ISO file available. As a second option I imported the latest available ESXi ISO which is 8.0U3b. I created an additional upgrade baseline and combined this with the previous Patch baseline in a baseline group and attached this to the cluster.

Upgrade baseline ESXi 8.0U3b ISO
Patch baseline ESXi 8.0U3d Update

Nice to see the Upgrade/Patch succeeds, but you may have some discussion if this is fully supported, since according to the Product Interoperability Matrix, it is not supported to upgrade from ESXi 7.0U3s to ESXi 8.0U3b. Might be a gray area?

Custom ESXi 8.0U3d ISO

I believe this is the official upgrade path and it is to create a “custom” ESXi 8.0u3d ISO file. You can create this with the help of PowerCLI, but it may be even easier to do this through the webinterface [Reference] which I will explain below:

-> In vCenter, go to Lifecycle Manager, Image Depot
-> Actions Menu -> Import Updates
-> Select the ESXi 8.0u3d patch file (“VMware-ESXi-8.0U3d-24585383-depot.zip”)

-> Create a new, empty cluster
-> Choose “Manage all hosts in the cluster with a single images” (aka vLCM Images).
-> For ESXi version, Select 8.0U3d – 24585383