To remediate VMSA-2025-0004 using vLCM
search cancel

To remediate VMSA-2025-0004 using vLCM

book

Article ID: 395164

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Customer needs to remediate ESXi hosts for VMSA-2025-0004 vulnerability using vLCM in 7.0U3 environment

Environment

ESXi 7.x, 8.x

Cause

ESXi 7.x environment is vulnerable to VMSA-2025-0004 and needs remediation.

 

Resolution

1. Download the Patch from the Broadcom's Support Portal:

VMware-ESXi-7.0U3s-24585291-depot.zip

See:

VMware ESXi 7.0 Update 3s Release Notes

Download Broadcom products and software 

 

2. To apply the patch using vLCM (Lifecycle Manager)

Log in to the vSphere Client.
Navigate to Menu > Lifecycle Manager.
Create a new baseline:
   Select "Patch" as the baseline type.
Add the downloaded patch file to this baseline.
Attach the baseline to the desired cluster or host.
Perform a compliance check and remediate non-compliant hosts.

3. ALTERNATIVE WAY OF PATCHING:

Using ESXCLI Command Line

See for additional reference:

Patching ESXi host using Command Line

Note: Starting with ESXi 8.0 Update 2, upgrading or updating ESXi using the commands esxcli software vib update or esxcli software vib install is no longer supported, as indicated in the article above.

Specific steps, before 8.0.2 


Upload the patch file to a datastore accessible by the ESXi host. You can use tools like WinSCP or the vSphere Client to upload the patch file to the datastore.
SSH into the ESXi host and place it in maintenance mode and validate:

 vim-cmd /hostsvc/maintenance_mode_enter  
 vim-cmd /hostsvc/hostsummary | grep inMaintenanceMode

 esxcli software vib update -d "/vmfs/volumes/Datastore/DirectoryName/PatchName.zip"
e.g.
 esxcli software vib update -d "/vmfs/volumes/<datastore_name>/<directory>/VMware-ESXi-7.0U3s-24585291-depot.zip"

Identify the image profiles in the offline bundle:
 esxcli software sources profile list -d /vmfs/volumes/<datastore>/<path-to-patch>/VMware-ESXi-7.0U3s-24585291-depot.zip


Run the following command:
 esxcli software profile update --depot=<depot_location> --profile=<profile_name>
 esxcli software vib install -d /vmfs/volumes/<datastore_name>/VMware-ESXi-7.0U3s-24585291-depot.zip

Reboot the host after installation:

 reboot

Exit Maintenance mode

 vim-cmd hostsvc/maintenance_mode_exit

4. Validation:

Verify that the host is running ESXi 7.0 U3s (Build 24585291).
In the CLI:

 vmware -vl

Additional references:

VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)

VMSA-2025-0004: Questions & Answers

Best Practices for Patching VMware vSphere

VMware ESXi 7.0 Update 3s Release Notes

Powered by Wolken Software