VxRail: Information related to VMSA-2025-0013 and VxRail environments

Broadcom has published a VMware Security Advisory (VMSA) on several Critical and Important security issues with ESXi 7.0, and 8.0 described in VMSA-2025-0013. They have developed several ESXi patches to resolve these issues. For more information, see:

• VMware Security Advisory VMSA-2025-0013
• VMSA-2025-0013: Questions and Answers

VxRail Engineering released an updated VxRail Software 8.0.3xx package which includes the fix the issue described in VMSA-2025-0013. Details of this release are outlined below.

Note: There are no plans to provide a VxRail Software release for VxRail 7.0.411+ (ESXi 7.0U3) or 8.0.2xx (ESXi 8.0U2).
VxRail environments using these builds must install the ESXi patch manually to obtain the fix.

VxRail Engineering approved installing ESXi patches with the fix for these issues on existing VxRail and VMware Cloud Foundation on VxRail (VCF) clusters. Details of these and the process to install them are outlined below.

There are four issues described in VMSA-2025-0013:

• VMXNET3 integer-overflow vulnerability (CVE-2025-41236) - CVSSv3 9.3 (Critical)
• VMware Virtual Machine Communication Interface (VMCI) integer-underflow vulnerability (CVE-2025-41237) - CVSSv3 9.3 (Critical)
• PVSCSI heap-overflow vulnerability (CVE-2025-41238) - CVSSv3 9.3 (Critical)
• vSockets information-disclosure vulnerability (CVE-2025-41239) - CVSSv3 7.1 (Important)

For more information about these issues, see the above VMware Security Advisory (VMSA) article.

VxRail environments

Status of the issue in VxRail releases:

• This issue is resolved in VxRail 8.0.361

VxRail engineering recommends all customers upgrade to the above VxRail release to remediate this issue.

Manual remediation of the issue:

• This issue can be remediated in VxRail 7.0.411 and later releases with the ESXi 7.0U3w patch
• This issue can be remediated in VxRail 8.0.210 - 8.0.214 releases with the ESXi 8.0U2e patch
• This issue can be remediated in VxRail 8.0.300 and later releases with the ESXi 8.0U3f patch

A guide to installing the appropriate ESXi patch mentioned above can be found at: How to manually patch ESXi Nodes in VxRail environment

Note: There are no workarounds to the issues described in the above VMware Security Advisory (VMSA) article.
Note: Installing the ESXi 7.0U3w or ESXi 8.0U3f update blocks upgrades to current VxRail 8.0.x releases (up to VxRail 8.0.331). Upgrades will be unblocked when the next VxRail 8.0.x version is available.

VMware Cloud Foundation (VCF) on VxRail

Status of the issue in VCF releases:

• VCF 4.5.x environments should be upgraded to VCF 5.2.x. The ESXi 7.0U3w patch is not supported in VCF 4.5.x
• This issue can be remediated in VCF 5.2.x with the ESXi 8.0U3f patch

The above guide to installing the appropriate ESXi patches is also applicable to VCF 5.2.x. See article How to manually patch ESXi Nodes in VxRail environment for the necessary steps.

Note: Attempting to install the ESXi 7.0U3w patch on a VCF 4.5.x environment is not supported and may prevent upgrades or migrations to VCF 5.2.x.
Note: Installing the ESXi 8.0U3f update blocks VxRail upgrades in current VCF 5.2.x releases (including VCF 5.2.1.2 / VxRail 8.0.330). Upgrades will be unblocked when the next VCF/VxRail pairing is available.

Update considerations for VMware Cloud Foundation (VCF) on Dell VxRail.

Applying the ESXi patch outside a VxRail update can result in the VCF inventory being out of sync.

VCF 5.2 and later includes a feature to allow the inventory to be updated after installing the ESXi patch. For more information, see the following Broadcom/VMware article: Synchronize inventory versions after out-of-band upgrade in a VMware Cloud Foundation Environment

Notes on recommended upgrade paths when manually updating clusters

The following are the suggested upgrade paths:

• VxRail 8.0.300 - 8.0.331 can apply the ESXi 8.0U3f patch.
• VxRail 8.0.210 - 8.0.214 can apply the ESXi 8.0U2e patch
• VxRail 8.0.000 - 8.0.120, 8.0.230, and 8.0.240 must upgrade to an 8.0.3xx build before they can apply the ESXi 8.0U3f patch
• VxRail 7.0.411 - 7.0.550 can apply the ESXi 7.0U3w patch. If clusters are running VxRail 7.0.410 or lower, they must upgrade to VxRail 7.0.411 build or later first before applying a patch

VxRail Engineering management has provided the following statement regarding support for nodes which are updated outside a VxRail upgrade.

"Customers that manually apply the relevant security patches can continue to expect full support for their VxRail system"

Obtaining the ESXi patches from Broadcom

The ESXi updates mentioned above can be obtained from the Broadcom support portal (requires a Broadcom support account)

• ESXi 7.0U3w - Filename: VMware-ESXi-7.0U3w-24784741-depot.zip - Download link: https://support.broadcom.com/web/ecx/solutiondetails?patchId=15940
• ESXi 8.0U2e - Filename: VMware-ESXi-8.0U2e-24789317-depot.zip - Download link: https://support.broadcom.com/web/ecx/solutiondetails?patchId=15939
• ESXi 8.0U3f - Filename: VMware-ESXi-8.0U3f-24784735-depot.zip - Download link: https://support.broadcom.com/web/ecx/solutiondetails?patchId=15938