A new ESX 9.0.0.0100 patch was recently released to address CVE-2025-41237 and best of all, it is live patchable!
As shared in this blog post from Féidhlim O'Leary, the ESX Live Patching capability has been significantly enhanced with the release of VMware Cloud Foundation (VCF) 9.0 and while you can use live patching capability from within vCenter Server, I wanted to roll this out using the new Lifecycle Fleet Management capability in VCF Operations 😎
Step 1 - Login to VCF Operations and navigate to Fleet Management->Lifecycle->(select your SDDC Manager Instance)->Image Management and we need to create a new vLCM Image that contains the 9.0.0.0100 patch.
On the right hand size of the wizard, you will find a direct link to your vCenter Server Image Catalog where you can create the new vLCM image by providing a name and selecting the 9.0.0.0100 patch which you can see is live patchable and then click Save.
Step 2 - Navigate back to Image Management in VCF Operations and click on the refresh button to see the new vLCM image and perform the import so that VCF Operations can now use the new vLCM image.
Step 3 - We now need to configure a patch plan by selecting a specific VCF Management and/or Workload Domain and click on the Updates tab and then the PLAN PATCHING button to begin workflow. Select VMware ESXi as the component and the target version will be 9.0.0.0100 and click confirm to complete the wizard.
At this point, you should see that the patch is available for download, you can either schedule the download or download it immediately.
Step 4 - Next, click on the configure update button to start the association of the vLCM image that we had created earlier.
Click on the ASSIGN IMAGE button to associate each vSphere Cluster that you would like to apply the patch to.
In the Upgrade options, you will see option to Enforce Live Patch, go ahead and select that and complete the wizard.
Step 5 - We are now ready to start our update, you can either schedule it or start patching immediately.
Once the patching begins, you can head over to your vCenter Server and you will notice that ESXi hosts are not placed into the traditional Maintenance Mode, but rather the Partial Maintenance Mode, which is used when ESX Live Patching is used! 🥳
With VCF 9 Operations, users no longer need to go to each and every vCenter Server to apply their patches/updates, you can perform all lifecycle management, not just for your ESXi host but also the rest of the components within your VCF Management Domain by using the new Fleet Management capabilities that provides a single interface to managing your entire VCF Fleet!
Super 👍
Do I understand correctly that you updated ESX hosts without TPM enabled?
AFAIK, Live Patching is not supported when TPM is enabled, right?
Yes, that's correct
Correct. Please see the referenced blog post for caveats when using Live Patching
Thanks for such a great informarion. Its very useful.
Can you provide some steps and or help explain how to get the vcf 9 download tool to retrieve async drivers (specifically looking to get the nic drivers? esxi8 has newer broadcom nic drivers listed but none showing under v9 but the latest version isn't bundled into the latest images)
I also don't really understand the portion for the new tool for Update Manager Download Service (UMDS) and how I'm supposed to use it. I can't get the commands to run on wsl on Windows. The install works but then fails looking for vmware-umds when trying to configure the udms offline depot directory.
I appreciate the info!