A Nessus scan identified CVE-2025-61984 and CVE-2025-61985 (OpenSSH < 10.1 / 10.1p1 RCE) on an environment running ESXi 8.0 Update 3e and vCenter Server 8.0 Update 3g. The scanner recommended upgrading OpenSSH to version 10.1 or later. This document addresses whether this vulnerability affects ESXi and vCenter, and outlines the appropriate remediation path. The finding is related to a vulnerability scan, not a functional service impact. 

• The CVE in question carries a CVSS score of 3.6 (Low severity)

• For more information about this CVE, please refer to: CVE-2025-61984 Detail, CVE-2025-61985 Detail

Both CVEs are client-side vulnerabilities that require the use of the "ProxyCommand" directive in the SSH client configuration to be exploitable.

• By default, neither VMware ESXi nor vCenter Server uses or configures "ProxyCommand" in their SSH client behavior.
• ESXi/vCenter does not permit administrators to add "ProxyCommand" to its SSH client configuration. Commands such as "esxcli system ssh" do not support or allow injection of this directive in ESXi
• If the remote client has OpenSSH 10.1 and/or review their client configuration with no "ProxyCommand" configuration, this can be mitigated.

vSphere 8.x

• The OpenSSH version included with ESXi 8.0 Update 3e and vCenter 8.0 Update 3g is flagged as vulnerable because it is below version 10.1. However, OpenSSH 10.1 has not yet been integrated into the ESXi 8.0 series due to dependency and compatibility constraints across supported components
• Broadcom Engineering confirmed that OpenSSH 10.1 is not part of the ESXi 8.0 patch stream, and transitioning to OpenSSH 10.1 would require crossing a major version boundary, which is not permitted within the 8.0 patch series

• No immediate action is required
• It is recommended to stay current with the latest ESXi 8.0 patches, which will include OpenSSH 9.9p2 in Patch 7
• The update to OpenSSH 10.1 will be targeted for the next major release (VCF 9.1). Plan to move to VCF 9.1 when available for OpenSSH 10.1 integration

Security findings can be submitted for formal review through: Broadcom Support