VMware ESXi versions 6.5 and 6.7 have reached end-of-life (EOL) as of October 15th, 2022. The IT Asset Management software “Lansweeper” has inventoried over 45,000 servers still running the recently EOL versions of ESXi. These versions of ESXi will no longer receive software and security updates, unless companies purchase an extended support contract.
Lansweeper reports 79,000 severs running VMware ESXi across 6,000 customers. Of those servers:
- 28,835 (36.5%) run version 6.7.0 released in April, 2018
- 16,830 (21.3%) run version 6.5.0 released in November, 2016
- 12,482 (15.8%) run versions between 3.5.0 and 5.5.0, far past EOL
These numbers represent only Lansweeper customers, and the total numbers are assuredly far higher. While customers can purchase an extended support contract, it will only last 2 years and does not include updates to third-party software that may reach EOL as well. However, VMware may still provide patches in the event of a critical security vulnerability, but there is no guarantee.
It is critical for organizations to keep their ESXi servers up to date. Vulnerabilities may accumulate, allowing an attacker a variety of opportunities for exploitation. In addition, because ESXi servers host virtual machines, they are a very desirable target for attackers. The compromise of a single ESXi server could lead to the compromise of dozens of production servers hosted within.
System administrators can use this resource from VMware to plan a proactive update cycle and avoid EOL related security issues: https://lifecycle.vmware.com/#/