The ESXi host (Mobility Agent) that is deployed by HCX will match the oldest version of ESXi host that is contained within the environment.  This is expected behavior as it will ensure compatibility with that host for migration purposes.

It can also result in the behavior where vulnerability scanners will detecting HCX Mobility Agent is running an unpatched version of ESXi (Version less then ESXi80U3d-24585383).

Security Advisory: VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)

HCX 4.X

The deployed ESXi host referred to as a Mobility Agent is used exclusively for vMotion, Cold, and Replicated Assisted vMotion (RAV) migrations and is enabled within the HCX manager whenever an IX appliance is deployed.  The version of the ESXi host is determined by the vCenter version and oldest ESXi build version within its inventory.  The version of ESXi deployed from vCenter may not technically be a patched version of ESXi and is identified by the vulnerability scanner as vulnerable.

The Mobility Agent ESXi host version is not automatically updated when the vCenter server is updated.  In order to update the Mobility Agent version, the ESXi host will need to be redeployed by using the following procedure

Note: Make sure there are no ongoing migrations in HCX.

1. Login to HCX Hybridity UI and redeploy IX appliance. This will deploy a new Mobility Agent host matching the vCenter version.
   • From HCX Manager UI -> Interconnect -> Service Mesh >> Appliances >> 'Select-IX-Appliance' >> REDEPLOY

The ESXi that appears in the VC when vMotion is enabled within a HCX manager is a "fake" ESXi. From security perspective, HCX will never be vulnerable to ESXi vulnerabilities since no real ESXi is shipped in the appliance. Please refer to VMware Cloud: Introduction to HCX for further details.