VxRail: Information related to VMSA-2025-0013 and VxRail environments
Summary: This article outlines the response from VxRail Engineering to the security issues described in VMware Security Advisory VMSA-2025-0013.
Symptoms
Broadcom has published a VMware Security Advisory (VMSA) on several Critical and Important security issues with ESXi 7.0, and 8.0 described in VMSA-2025-0013. They have developed several ESXi patches to resolve these issues. For more information, see:
- VMware Security Advisory VMSA-2025-0013 (External Link)
- VMSA-2025-0013: Questions and Answers (External Link)
VxRail Engineering released an updated VxRail Software 8.0.3xx package which includes the fix the issue described in VMSA-2025-0013. Details of this release are outlined below.
VxRail environments using these builds must install the ESXi patch manually to obtain the fix.
VxRail Engineering approved installing ESXi patches with the fix for these issues on existing VxRail and VMware Cloud Foundation on VxRail (VCF) clusters. Details of these and the process to install them are outlined below.
Cause
There are four issues described in VMSA-2025-0013:
VMXNET3 integer-overflowvulnerability (CVE-2025-41236) - CVSSv3 9.3 (Critical)VMware Virtual Machine Communication Interface (VMCI) integer-underflowvulnerability (CVE-2025-41237) - CVSSv3 9.3 (Critical)PVSCSI heap-overflowvulnerability (CVE-2025-41238) - CVSSv3 9.3 (Critical)vSockets information-disclosurevulnerability (CVE-2025-41239) - CVSSv3 7.1 (Important)
For more information about these issues, see the above VMware Security Advisory (VMSA) article.
Resolution
VxRail environments
Status of the issue in VxRail releases:
- This issue is resolved in VxRail 8.0.361
VxRail engineering recommends all customers upgrade to the above VxRail release to remediate this issue.
Manual remediation of the issue:
- This issue can be remediated in VxRail 7.0.411 and later releases with the ESXi 7.0U3w patch
- This issue can be remediated in VxRail 8.0.210 - 8.0.214 releases with the ESXi 8.0U2e patch
A guide to installing the appropriate ESXi patch mentioned above can be found at: How to manually update ESXi Nodes in a VxRail environment
VMware Cloud Foundation (VCF) on VxRail
Status of the issue in VCF releases:
- VCF 4.5.x environments should be upgraded to VCF 5.2.x. The ESXi 7.0U3w patch is not supported in VCF 4.5.x
- This issue is resolved in VCF 5.2.2 which includes VxRail 8.0.361
Recommended upgrade paths when manually updating clusters
The following are the suggested upgrade paths:
- VxRail 8.0.210 - 8.0.214 can apply the ESXi 8.0U2e patch
- VxRail 7.0.411 - 7.0.550 can apply the ESXi 7.0U3w patch. If clusters are running VxRail 7.0.410 or lower, the cluster must upgrade to VxRail 7.0.411 release or later before applying a patch
- VxRail 8.0.000 - 8.0.120, 8.0.230, and 8.0.240 must upgrade to VxRail 8.0.361 or later
VxRail Engineering management has provided the following statement regarding support for nodes which are updated outside a VxRail upgrade.
"Customers that manually apply the relevant security patches can continue to expect full support for their VxRail system"
Obtaining the ESXi patches from Broadcom
The ESXi updates mentioned above can be obtained from the Broadcom support portal (External Link)
- ESXi 7.0U3w - Filename: VMware-ESXi-7.0U3w-24784741-depot.zip - Download link: https://support.broadcom.com/web/ecx/solutiondetails?patchId=15940 (External Link)
- ESXi 8.0U2e - Filename: VMware-ESXi-8.0U2e-24789317-depot.zip - Download link: https://support.broadcom.com/web/ecx/solutiondetails?patchId=15939 (External Link)