Over 45,000 VMware ESXi servers inventoried by Lansweeper just reached end-of-life (EOL), with VMware no longer providing software and security updates unless companies purchase an extended support contract.
Lansweeper develops asset management and discovery software that allows customers to track what hardware and software they are running on their network.
As of October 15, 2022, VMware ESXi 6.5 and VMware ESXi 6.7 reached end-of-life and will only receive technical support but no security updates, putting the software at risk of vulnerabilities.
The company analyzed data from 6,000 customers and found 79,000 installed VMware ESXi servers.
Of those servers, 36.5% (28,835) run version 6.7.0, released in April 2018, and 21.3% (16,830) are on version 6.5.0, released in November 2016. In total, there are 45,654 VMware ESXi servers reaching End of Life as of today
The findings of Lansweeper are alarming because apart from the 57% that enter a period of elevated risk, there are also another 15.8% installations that run even older versions, ranging from 3.5.0 to 5.5.0, which reached EOL quite some time ago.
In summary, right now, only about one out of four ESXi servers (26.4%) inventoried by Lansweeper are still supported and will continue to receive regular security updates until April 02, 2025.
However, in reality, the number of VMware servers reaching EOL today, is likely far greater, as this report is based only on Lansweeper’s customers.
The technical guidance for ESXi 6.5 and 6.7 will carry on until November 15, 2023, but this concerns implementation issues, not including security risk mitigation.
The only way to ensure you can continue to use older versions securely is to apply for the two-year extended support, which needs to be purchased separately. However, this does not include updates for third-party software packages.
For more details about EOL dates on all VMware software products, check out this webpage.
What does this mean?
When a software product reaches the end-of-life date, it stops receiving regular security updates. This means that admins should have already planned ahead and upgraded all deployments to a newer release.
While it’s not unlikely that VMware will still offer some critical security patches for these older versions, it’s not guaranteed and certainly won’t release patches for all new vulnerabilities that are discovered.
Once an unsupported ESXi server has carried on for long enough without patches, it will have accumulated so many security vulnerabilities that attackers would have multiple ways to breach it.
Due to ESXi hosting virtual machines, attacking the server can potentially cause severe and wide-scale disruption to business operations, which is why ransomware gangs are so focused on targeting it.
More recently, Mandiant discovered that hackers found a new method to establish persistence on VMware ESXi hypervisors that lets them control the server and hosted VMs without being detected.
All that said, ESXi already enjoys ample attention from threat actors, so running outdated and vulnerable versions of the software would no doubt be a terrible idea.