This article outlines the guidance from VMware by Broadcom relating to the OpenSSH vulnerability CVE-2025-26465 & CVE-2025-26466 and ESXi.

VMware vSphere ESXi

There is no immediate plan to update OpenSSH binaries on ESXi in relation to CVE-2025-26465 & CVE-2025-26466 for multiple reasons:

1. The VMware Cloud Foundation Division continues to recommend that SSH should remain disabled (disabled by default) in production environments. Please see product-specific documentation for details on how to disable SSH if it has been enabled. Alternative workarounds are not recommended and may have functional impacts on a product.
2. CVE-2025-26465 is a client-side vulnerability and does not directly relate to ESX's version. Even within ESX, ESX's client usage does not use "VerifyHostKeyDNS" as noted in the client config file (/etc/ssh/ssh_config).
3. For CVE-2025-26466, unlike Linux, ESX's daemon's are sandboxed to limit memory consumption.

Japanese version: ESXi における OpenSSH の脆弱性 CVE-2025-26465 および CVE-2025-26466 への対応