VxRail: How to Manually Patch ESXi Nodes

Summary: This article outlines the procedure for managing customer Service Requests (SR) to address security vulnerabilities (VMSA) in a VxRail or VCF On VxRail environment through manual patching. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

VMware by Broadcom periodically issues advisories to address security vulnerabilities. The following steps detail the manual patching options to mitigate security risks in VMware infrastructure, in case there is a delay in the VxRail/VCF upgrade release, or the customer is unable to perform a full upgrade due to any circumstances. 

Cause

 In case there is a delay in the VxRail/VCF upgrade release, or the customer is unable to perform a full upgrade due to any circumstances. 

Resolution

Dell VXRAIL HIGHLY RECOMMNEDS THAT CUSTOMERS WAIT FOR THE VXRAIL OR VCF-ON-VxRail VERSIONS THAT INCLUDE THE FIXES 
 

Procedures to upgrade ESXi on hosts outside of a VxRail, or VCF-on-VxRail upgrade.

 

Note: It is advised to update one host at a time due to vSAN FTT=1 limitation.

Manual patching may trigger VxRail Manager noncompliance alarms in vCenter. The ESXi version does not match the version aligned with the build of VxRail which triggers the alarm. This may impact on future upgrades which require support interaction to remediate.

 

 

  1. Upload the ESXi patch to the service datastore on each host.
     
  2. Place the Node into Maintenance Mode with the option "Ensure Accessibility"

    Screenshot showing the maintenance mode selections 
     
  3. Execute following commands -

    Please note, the version below is used for reference in the Knowledge Base (KB). The original fixed version may differ from the version used in the command example. 
      
    # esxcli software sources profile list --depot='/<patch_location>/VMware-ESXi-7.0U3s-24585291-depot.zip'
# esxcli software profile update -p ESXi-7.0U3s-24585291-standard --depot='/<patch_location>/VMware-ESXi-7.0U3s-24585291-depot.zip'

     
    Screenshot showing the command output   Screenshot of the update execution from command line 


    Please use --no-hardware-warning argument in command, to bypass hardware check, if needed. 
    esxcli software profile update -d /vmfs/volumes/*-datastore-name*/VMware-ESXi-8.0U2d-24585300-depot.zip -p ESXi-8.0U2d-24585300-standard --no-hardware-warning

     
  4. Reboot the Node and take out from the Maintenance-mode.
  5. Repeat the steps on the remaining nodes, once at a time.

    Similar steps can be followed for the witness appliance manual patching, followed by the steps mentioned in KB - VxRail: How to Manually Update vSAN Witness Appliance Using CLI

Affected Products

VxRail, VxRail 460 and 470 Nodes, VxRail Appliance Series, VxRail G Series Nodes, VxRail D Series Nodes, VxRail E Series Nodes, VxRail P Series Nodes, VxRail S Series Nodes, VxRail Software, VxRail V Series Nodes

Products

VxRail VD Series Nodes
Article Properties
Article Number: 000345284
Article Type: Solution
Last Modified: 25 Aug 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.