In this blog we will guide you through the process of implementig a flexible BOM Upgrade, as VMware/Broadcom likes to call it. Actually it is the process of installing one or multiple async patches through SDDC Manager. In this specific example, we will use the critical vulnerability in ESXi Security, as mentioned in VMSA-2025-0004. This patch will resolve a CVSSv3 score of 9.3, because of CVE-2025-22224.
Note however, the same procedure is valid for the currently available NSX 4.1.2.3 patch or even SDDC Manager 5.2.1.1. Earlier on, we have created a blog on the same for vCenter Server 8.0 Update 3d. A complete list of all async patches can be found in KB88287.
Steps
The following steps can be followed:
- Make sure you always make appropriate snapshots and backups before you start.
- Login to SDDC Manager using your credentials
- Download the ESXi Security bundle through SDDC Manager itself
- Download it through Bundle Management. In the SDDC Manager interface, navigate to LifeCycle Management > Bundle Management.
- Find the VMware Software Update 1.1.1.1 bundle. These 1.1.1.1 versions are the async patches. You will notice that NSX 4.1.2.3 is also available for download as an async patch
- Note that you can find the complete list of async patches here.
Click Download to start the download progress. Compared to vCenter Server 8.x or NSX 4.x the download is quite small, so it won’t take too long.
- After the download completes, you can create a Patch Plan to include the async patch
- Navigate to Inventory > Workload Domains > Management Domain > Select Updates and open Available Updates > Select Cloud Foundation 5.2.1.0
- Click Actions > Plan Patching
Note that the next screen will take some time to populate. Please be patient.
If nothing pops up eventually, you might need to resolve this first through this blog post or Knowledge Base article KB380402.
- If the Plan Patching interface populates, you can select the Software Component, in this case VMware ESXi, and select the Target Version from the dropdown box. Click Confirm. In the next screen, review the settings and click Finish
- After a few moments the Available Updates will re-populate, and will show Configure Update.
- This will be the part in which the ESXi Update is planned or implemented. From this point on, you can rely on the process you are used to. Each software component, e.g. NSX, vCenter or ESXi, will have a separate Configure Update button with a configuration wizard.
Background
- Previously the only option was through the Async Patch Tool. A lot of manual interaction was required. You can read all about it in the following blog
VCF 5.2.1 – Updating to VMware ESXi 8.0 Update 3b - The new async patch is integrated and part of the SDDC Manager workflow, as mentioned earlier in blogs by VMware.
VCF 5.2.1 – Using the Async Patch Tool. As mentioned in the first line of this blog post, VMware would like to call it the Flexible BOM Upgrade.
VMware blog: Async Patching. In VMware Cloud Foundation 5.2.1. - We have already seen a similar update (for vCenter Server as part of the VCF 5.2.1 Upgrade as well:
VCF 5.2.1 – Updating to vCenter Server 8.0 U3d using the Async Patch for security (VMSA-2024-0019)