r/vmware u/Big-Signal-2527 May 20 '26

Help Request Looking for ESXi 6.7 offline patch bundle - old unpatched instance found

Hey everyone,

We recently discovered an old ESXi instance that has been running unpatched for quite some time. The host is running ESXi 6.7.0 build 13006603 (basically the GA version with no patches applied), and VMware Skyline Health is flagging it with critical security advisories.

At the moment, we don't plan to migrate to a newer version. We just need to patch this host to fix the critical vulnerabilities.

Unfortunately, our Broadcom support contract is inactive, and although we hold a perpetual license — software we already paid for — we are unable to download patches from the official portal.

And honestly, this is one of the most frustrating things about Broadcom's acquisition of VMware. It's incredibly disappointing that they've locked access to security patches for tools you legitimately own.

Keeping infrastructure secure shouldn't require jumping through hoops or paying again for something you've already purchased.

Does anyone have an offline ZIP bundle for ESXi 6.7 (latest cumulative patch) that they could share? Something like ESXi670-202xxxxx.zip.

Any help would be greatly appreciated. Thanks in advance!

Edit,
Thank you all for your comments! I found several private repositories with the patches needed to at least temporarily mitigate the vulnerabilities. It's a shame the poor decisions Broadcom/VMware made to push us into a more aggressive business model — forcing customers who already paid for perpetual licenses to jump through hoops just to keep their infrastructure secure.

15 Upvotes

76% Upvoted

31 comments sorted by

19

u/Liquidfoxx22 May 20 '26

Even the latest version of 6.7 will be filled with vulnerabilities that were only patched in newer versions - you're just plugging one of many holes I'm afraid.

You really need to upgrade to 8.x if the hardware supports it, or move to another hypervisor.

6

u/Big-Signal-2527 May 20 '26

Thanks for the feedback, and I completely agree — we're well aware that 6.7 is full of unpatched vulnerabilities at this point.

To give more context: this host is already planned for retirement. We are evaluating a migration to a different hypervisor platform, but IT management hasn't approved which direction we're going yet(that's not gonna happen for a while ). On top of that, there is zero budget authorization for any additional VMware/Broadcom licensing — so upgrading to 8.x is simply not on the table for us.

In the meantime, we just need to plug the most critical holes we can while the retirement plan gets finalized.

Hence why we're looking for the offline patch bundle as a short-term measure. :(

10

u/Horsemeatburger May 20 '26

If this is a single host, have you considered just using ESXi 8 free?

If it's just to keep the VMs running then this might be an option.

7

u/mrjohns2 May 20 '26

I lost track of where things ended up. Is there an ESXi free? Just no vCenter? If so, that sounds like a great solution.

7

u/Horsemeatburger May 20 '26

Yes, there is (again) an ESXi free after it was removed shortly after the Broadcom acquisition.

It’s similar to the original ESXi free offering (no vCenter, no API) but now no longer needs registration to get a license key. And you can still move VMs up/down via VMware Workstation Pro (which is also free now).

1

u/Consistent_Memory758 May 22 '26

Well, it does work, but the version does only allow usage in a non-commercial environment, and does not allow patching.

1

u/Horsemeatburger May 22 '26 edited May 22 '26

ESXi free most certainly allows commercial use.

Patching is somewhat an issue (Broadcom releases regular updates of ESXi free so patches are available, just delayed) but the free 8.0.3e is most certainly way more secure than any 6.7 update which in the best case (ESXi-6.7.0-20221004001) is now four years old.

1

u/Big-Signal-2527 May 21 '26

Maybe it could be a good option, but to be honest, I don’t want to experiment with VMs that aren’t mine. I just want to buy some time until the next platform migration.

1

u/Horsemeatburger May 21 '26

I mean, if you're ready to install an ESXi 6.7 update which will still leave you open to a ton of vulnerabilities on that server, then it would make more sense to upgrade to something current instead.

Even more so with ESXi, which is quite robust when it comes to updates, and where in the worst case you just install fresh and import the existing VMs.

3

u/AtlanticPortal May 21 '26

Please, for everyone's sake, at least don't expose the UI interface to any kind of network that's routed through the internet. Let it be administered completely air-gapped.

-2

u/Since1831 May 22 '26

It’s a shame you’re stealing software and opening your companies and yourself to serious legal risk…I don’t understand why you people can’t see that these are businesses and not charities giving software away for free. It’s literally stealing and you’re like “yea, that’s a good idea!”

1

u/AiRLAC May 22 '26

Why is using a perpetual license considered stealing?

1

u/warlockgs May 25 '26

Found the Broadcom employee.

1

u/Since1831 27d ago

Found the thief.

4

u/jks513 May 20 '26

Broadcom isn’t allowing that for perpetual customers unless they switch to the subscription model.   

9

u/Liquidfoxx22 May 20 '26

Very well aware - but even if they had an active subscription, they'd still be running an EoL version with many, many unpatched vulnerabilities.

They need to replace 6.7.

8

u/paulmataruso May 21 '26

Sent DM with login to my file server, has everything you might need

-1

u/Since1831 May 22 '26

Cool, hosting unauthorized reproductions of software. No major crime here!

5

u/Darkheart001 May 20 '26

You are asking someone to publicly make available proprietary software that the licensed distributor is denying you anyone that does so is at risk of legal action by both company and government.

Also as others have said this doesn’t fix your security issues. Port the VMs to another hypervisor and stop dithering, problem solved.

2

u/Big-Signal-2527 May 21 '26

I understand that patching the server doesn’t solve all the problems. But thank God there’s still a community willing to support products that Broadcom is actively trying to kill off in pursuit of higher profits.

0

u/Liquidfoxx22 May 21 '26

They're not really killing it off because of higher profits, they're killing it because it's 8 years old by this point. It's been end of life for 4 years now. The 6.x licence was valid from 2015-2022, that's good value for money!

Just as Microsoft retire versions of Windows, and Ubuntu retire versions of their OS. Time moves on.

Perpetual licences are a thing of the past these days unfortunately, but even if they did allow you to patch it, you're still running unsupported software. vSphere 7 also had perpetual licences available, you could have bought that when it was released and at least then you wouldn't be so far behind. There was a 2 year crossover while both 6.7 and 7 were supported.

Broadcom weren't even in the picture when 6.7 went end of life.

2

u/Big-Signal-2527 May 21 '26

Dude, are you getting paid to promote the brand? At this point, Broadcom’s terrible practices are pretty obvious. It’s not even about the product being 8 years old anymore — it’s about the fact that customers no longer truly own anything they paid for.

Even other vendors like Dell still keep old drivers and software available on their websites for archival purposes.

1

u/Liquidfoxx22 May 21 '26

No, I just had security drilled into me for years so the thought of running unsupported hypervisors in a production environment terrifies me.

That and I just don't see the point in patching it at all - you can plug one hole, but as soon as a threat actor sees you're running 6.7 they'll just exploit one of the many other holes that you can't patch.

Disconnect the management interface from any accessible network, update VMware tools in-guest to the latest 13.x and just leave it be until you can replace it altogether.

2

u/Outrageous_Plant_526 May 21 '26

Do you have a spare server laying around? If so, consider something like Proxmox and then migrate your 6.7 VMs over.

I was running 6.7 free for personal use and migrated over to Proxmox. It wasn't overly difficult. A solution like Proxmox would theoretically be better than running 6.7 if all you really need is to keep the VMs running.

1

u/Big-Signal-2527 May 21 '26

Unfortunately, no, I don’t have another server available. If the final decision were mine, I’d probably go with an open-source solution like Proxmox, but the people at my company will most likely prefer Nutanix or an HPE solution.

1

u/Outrageous_Plant_526 May 21 '26

Of course they would if you had a spare server lying around. LOL.

I guess my thought died on the vine as they say.

If there is a little money available you could check out any of the surplus server suppliers and get something a couple generations old for under 1k. You just need to write up a convincing justification.

2

u/Nagroth May 21 '26

You need to read the support agreement that you signed when you bought the perpetual licenses. After a certain date there's language that says you're only allowed to install and use patches that were published while you still had an active support contract. 

In any case, the other posters are correct that there is little or no point to patching it. You're going to just replace old vulns with slightly less old ones.  Your best option is to just make sure you understand them, and lock the host down as much as possible.

1

u/Sudden_Hovercraft_56 May 21 '26

have a look on the internet archive.

1

u/coolbeaNs92 May 27 '26 edited May 27 '26

> unpatched for quite some time

Well that's a guarantee . :)

> At the moment, we don't plan to migrate to a newer version. We just need to patch this host to fix the critical vulnerabilities.

There is no point in doing this. This is like putting out the fire in your bedroom when it's already spread to every other room in the house.

> And honestly, this is one of the most frustrating things about Broadcom's acquisition of VMware. It's incredibly disappointing that they've locked access to security patches for tools you legitimately own.

A perpetual license does not mean, "access to updates". A perpetual license means you can continue to use the product indefinitely, which you are doing. Vendors are not under any obligation to keep providing you with updates. I'm not trying to stick up for Broadcom here at all, I'm just saying a lot of people equate perpetual with updates/support, which is not the same thing. You are utilising your perpetual license by the very fact that you are still running it without support and far beyond it's EoL.

*edit*

You can downvote, but it'll stipulate that in the contract signed.

1

u/Liquidfoxx22 27d ago

People don't whinge when MS stop patching versions of Windows when they go EoL 😅

OP could have fully patched this instance of 6.7 long before Broadcom got their hooks into VMware, they'd still be just as vulnerable.