Broadcom’s customer shakedown opens old pathways for ransomware gangs

In early May 2025, VMware owner Broadcom began sending cease-and-desist letters to customers who still have perpetual licenses with expired customer support. The company’s demands include rolling back every update made after the support service ended under the threat of audits and litigation. Customers are allowed to maintain zero-day updates, but all other security updates must be rolled back under these existing threats.

While that change in policy (which came soon after it finished purchasing VMware last year) is terrible from a customer service and customer satisfaction standpoint, it also stands to put companies and their data at risk of network intrusions and data theft from known ransomware threats.

Broadcom has effectively created a zero-sum game in which many existing customers who were grandfathered in after it purchased VMWare must now make a choice that could cost them millions and risk not only the future of their company but also the secure data that they maintain.

Broadcom’s demand to roll back updates creates a security and stability nightmare

Broadcom’s cease-and-desist letters demand that certain customers remove all updates, including security patches that were applied after the support contract’s expiration. The only exception Broadcom appears to have allowed is updates addressing zero-day vulnerabilities (CVSS score ≥ 9.0).

According to reports from users on various network administration forums, including Reddit’s /r/sysadmin, these cease-and-desist letters place customers in an impossible situation: remove updates in a way that creates a security nightmare, switch to a higher-priced subscription package many license holders can’t afford, or risk an expensive court battle.

These demands are dangerous for several important reasons that cannot be ignored or understated:

They introduce known vulnerabilities back into production environments

Update and pack rollbacks are not benign. They reintroduce well-documented security flaws that cyber criminals have already learned to scan for and exploit. Many ransomware gangs that we track daily, like the now-infamous WannaCry, take full advantage of this. They will scrape CVE databases and patch notes to reverse-engineer new attack vectors.

Broadcom’s efforts to force security rollbacks are effectively threatening license holders to increase their risk of a data breach by orders of magnitude. While the company holding the license is ultimately in charge of its data, such actions put ethical questions right at Broadcom’s feet.

They break essential system stability and configuration baselines

Many security patches are delivered as part of a larger update that includes improvements to software performance and compatibility. When companies are forced to revert their systems to an earlier state, it can quickly destabilize hypervisors, completely invalidate integrations with backup or DR tooling, and painfully disrupt resource scheduling for virtual workloads.

If a company has a tightly-tuned environment (which is common within education, healthcare, and government organizations, which tend to hold larger amounts of legally-regulated PII and PHI), this kind of rollback can result in cascading failures and critical (and expensive) downtime.

Cybercriminals can easily take advantage of these system failures or even cause such failures if they find vulnerabilities that would have been previously patched. Removing these safeguards creates significant and well-known risks that were already avoided.

They punish long-time VMware customers

Longtime VMware customers feel betrayed right now, and for good reason. Beyond the risk that Broadcom is placing upon their security posture, many are understandably upset with the tactics Broadcom is using to gain compliance with its new pricing strategies.

As one IT professional stated in an April 2025 /r/sysadmin post:

“This is like a mafioso shaking down a shopkeeper for protection money. I swear, if they won’t be reasonable on my next phone call with them, then I will make it my mission — with God as my witness — to break the land speed record for fastest total datacenter migration to Hyper-V or Proxmox or whatever and shutting off ESXi forever. I’m THAT pissed off.”

Companies that did the right thing for themselves and their customers by partnering with VMware and utilizing best practices must now choose between staying with Broadcom and paying more for a company they no longer trust or going through the motions of switching providers, which can easily become a long and expensive process.

Broadcom likely recognizes that the cost of switching is high, which left many customers feeling exploited following its purchase of VMware.

What can companies do to protect themselves against ransomware threats?

Companies that are forced to roll back security updates will still have to decide quickly what to do next. Broadcom has already proven its willingness to take the legal route for companies that don’t comply, as was recently reported in its case against Siemens. Even for small and mid-sized companies holding onto perpetual licenses from the pre-Broadcom era, failing to comply may result in expensive audits and lawsuits.

Some companies saw the writing on the wall immediately following the VMware purchase and switched to a VMware alternative. Many companies, however, were not so forward-thinking and are now left with open security risks as they must roll back updates before switching to a new virtualization platform.

During that interim, companies in this position should take several steps as quickly as possible to boost their security posture against newly revitalized security threats:

• Harden network perimeters
• Isolate vulnerable systems
• Implement strict access controls
• Boost monitoring and detection
• Run regular vulnerability scans
• Audit all backup systems
• Limit internet-facing exposure
• Create a rapid response plan
• Move quickly on migration planning

These steps are no guarantee against a security threat facing a weakened virtualization platform, but they will give impacted companies a fighting chance should ransomware gangs decide to take advantage of the situation.

How did Broadcom and its customers get here?

Broadcom completed its purchase of the virtualization and cloud computing company VMware in 2023. Since then, the company has slowly whittled away at the goodwill that VMware had built up over the years between itself and its large customer base.

The move to dismantle VMware’s package and revenue strategy began not long after the purchase was completed.

• In December 2023, less than a month after its purchase was complete, Broadcom stopped offering new VMware perpetual licenses. This affected a dozen different VMware products. It also enforced new licensing strategies that effectively push out small and mid-sized businesses, including a pricey 3-year lock-in license.
• In February 2024, the company terminated VMware’s free ESXi hypervisor. This move impacted a dozen different VMware products.
• Between March and April 2025, Broadcom changed the process for downloading VMware software binaries, effectively locking out perpetual license holders who did not renew or obtain a Support-and-Subscription (SnS) agreement.
• Beginning in March 2025, customers began reporting that Broadcom was sending cease-and-desist letters to perpetual license holders, demanding that they stop using its software. In May, it became clear that Broadcom was specifically targeting perpetual license holders who have expired SnS agreements and demanding rollbacks of software and security updates.

Broadcom’s push to change VMware’s licensing strategy was terrible from a customer service and customer satisfaction standpoint, but not immediately dangerous to customers and their data.

However, the company’s new efforts to strong-arm perpetual license holders into pricier subscription packages by canceling or failing to allow renewals of SnS agreements push its strategy into potentially unethical realms that endanger companies and their customers.

Comparitech will monitor and track ransomware attacks to see if any new threats that emerge over the next year can be linked to systems weakened by Broadcom’s forced rollbacks.