A software patch delay has left some perpetual license owners exposed, renewing frustration with Broadcom’s post-acquisition moves
Photo by Fernando Hernandez on Unsplash
Let’s talk about something unsettling if you depend on VMware to keep your servers or environments secure: critical patches that aren’t reaching everyone who needs them. And unfortunately, it’s not a glitch — it’s part of a larger shift that’s putting pressure on users with older licenses.
Some customers can’t access security patches
Earlier this month, VMware publicly disclosed three critical vulnerabilities found in eight of its products. On July 15, it shared VMware Security Advisory 2025-0013, detailing the flaws and promising patches.
But for users holding legacy perpetual licenses — meaning those who bought VMware once and aren’t on one of Broadcom’s newer subscription plans — those patches aren’t all accessible. Several customers told The Register they couldn’t download the updates through Broadcom’s support portal.
The kicker? These users were told by customer service they may have to wait up to 90 days to access the patches.
That’s a long time to stay exposed.
Broadcom’s official stance? The company says it hasn’t changed its policy. According to a spokesperson, users of legacy VMware products are still entitled to receive critical security updates, even without a support contract — as long as the product is still supported.
However, because the portal requires validation of entitlements, it currently blocks anyone without a valid support subscription from accessing the patch.
So yes, the promise is still there. But when that future patch delivery happens (or how), remains vague.
Photo by Markus Spiske on Unsplash
Why this matters more than ever
When Broadcom acquired VMware, it didn’t just change ownership. It overhauled VMware’s long-running business model.
Out with perpetual licenses. In with bundled subscription packages.
That move alone pushed some IT teams and organizations to stick with their existing licenses and avoid the switch. Now, those same users are being told their patch access is delayed, or in limbo.
And it doesn’t stop at delays. Broadcom has also sent audit letters to perpetual license holders, pressuring them over compliance and licensing terms.
All of this has led to growing concerns about whether Broadcom is squeezing legacy customers to migrate to its new subscription model — even at the cost of security.
Regulatory pushback is brewing in Europe
This latest patch problem isn’t happening in a vacuum.
Just as users are raising concerns, the Cloud Infrastructure Services Providers in Europe (CISPE) trade association filed a legal challenge against Broadcom’s VMware acquisition. On July 24, they officially asked the European General Court to annul the European Commission’s approval of the $61 billion deal.
CISPE’s case? Since taking over, Broadcom has:
- Ended contracts with little notice
- Forced users into higher-cost, multi-year license commitments
- Removed access for many smaller cloud partners
- Introduced practices that CISPE describes as “unfair” and “onerous”
The European Commission initially focused on hardware compatibility concerns during its merger review. Critics now say it ignored the deeper business implications, like pricing power and forced subscriptions.
While a reversal of the acquisition seems unlikely, the case could put pressure on Broadcom to compromise — at least with European partners.
Photo by Patrick Weissenberger on Unsplash
What’s next for VMware users?
If you’re running a VMware perpetual license without a current support plan, here’s what you might want to watch:
- Keep an eye out for a “separate patch delivery cycle,” which Broadcom claims is coming
- Understand that delays of up to 90 days could mean exposure to known vulnerabilities
- Consider that changing licensing conditions may affect your access to software updates and support going forward
And if you’re in Europe, the outcome of this court challenge could have ripple effects for how Broadcom handles licensing and partner programs.
For now, what’s clear is this: not everyone who needs a critical security patch can get it, and that’s raising alarms across the VMware community.
Stay tuned — we’ll be watching how this unfolds.
Keywords: VMware security patches, Broadcom subscription model, VMware perpetual license, Broadcom VMware acquisition, CISPE, European Commission VMware, software entitlement access, VMware vulnerability patches
