VMSA-2025-0004 (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)

Hi,

Dell support has told me that we can expect the next release on march 18th. It will be Version 8.0.322 which includes fixes for these issues.

Greetings

Hello Klaas-,

We are working on the patches and are testing to make sure that there are no issues with the next patch update. The patches should be available in a couple of weeks unless there are issues that we didn’t see before.

Hi, is there a workaround or something we could do while waiting for the patch to be incorporated in VxRail? 

@GurkenR1ck​ How about updates for VXrail 7.xx?

Hello yardsea8e1a7,

There will be a patch for 7.0.x as well as 8.0.x systems.

@DELL-Sam L​  this is classed with severity level Critical which should not be allowed to take a couple of weeks to be patched. Can this be threated separately outside the next regular VXRail patch cycle due to Criticality .  

Hello mooms2003,

We are aware and treat all CVE issues with a critical status. However, it is not correct for DellEMC to put out a patch, and not test it on our own systems first to ensure that all is fixed and doesn’t cause any new issues.

@DELL-Sam L is it safe to just install this Broadcom update separately and then upgrade the VXRail code later? Our internal Cyber team have advised that this very critical and the Broadcom patch MUST be installed this weekend.

my mgmt is asking to be updated when I get this patched. I've patched all the regular ESX hosts... just waiting for VxRail.

I've looked on the Security Advisories, Notices and Resources page, and I see a related announcement for the PowerStore product with ESX embedded but nothing from VxRail.

Hello dbethke,

We are working on the patch fix for the issues listed above. Once the patches are available we will update this post with the patch fix so that everyone will get notified that is on this post.

Ok. We'll wait for y'all to eventually make a Security Advisory on your page in a couple weeks, but it seems like you should post something now that says you're aware and working on it and not just napping. 

@Danjay6f23c3​ @DELL-Sam L I want to know this too!  We are running a 5 node vxRail stack, ESXi 7.0 Update 3r.  I have finished going thru the excellent info & guidelines provided by Broadcom.  Now I'm cross-checking with Dell and I find myself disappointed and faced with a decision:  I can apply the Broadcom patch and get us up to 7.0 Update 3s Build 24585291 today and hope for the best when it's time for the next Dell vxRail package... Or wait for that package.

I think I'm going to go for it.  Last year an admin paid attention to the blue banner at the top stating vCenter needed an update and applied it out-of-band.  It was a mess, but after a couple of days I got it all sorted out - vxRail Manager & and the whole stack happily in sync again.

After that experience, how bad could an out-of-band hypervisor update be?

@nsiakotos​ I patched as well, using vCenter Lifecycle Manager.  No issues except an out of compliance alarm on the vxRail ESX Cluster, which is not unexpected:

VXR008006 ALARM Non-compliant components detected

I ran & viewed the vxRail Compliance Drift Report @ Cluster > Configure > vxRail > Compliance.

Sure enough, the only non-compliant items are the ESXi nodes:

Expected version 7.0.3-24411414  <-- latest version via Dell vxRail packages; vulnerability present

Current version 7.0.3-24585291  <-- patched via Lifecycle Manager, sourced direct from vmWare/Broadcom; vulnerability not present

I'm just fine with this & have ack'd the alarm.

vxRail 7.0.541 package appears to be available now & it includes the fix for this vulnerability.

@Kris.Jacobs​ we are getting error message cannot download. Anyone else get this error?