How to patch VMware ESXi
Broadcom / VMware · Virtualization · 5 steps · VMware ESXi security status → · updated June 2026
ESXi hosts are patched per host: evacuate the VMs, enter maintenance mode, apply the patch, reboot, and confirm the new build. vSphere Lifecycle Manager automates this across a cluster.
VMware ESXi has 8 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent.
Check your current version first
Before you patch, record what you're running (ESXi shell / SSH):
vmware -v —or— esxcli system version getOr paste your version into the checker for an instant verdict.
Step by step
Run esxcli system version get to record the running build, and find the fixed build in the relevant VMSA advisory.
vMotion running VMs off the host (or power them down), then put the host into maintenance mode so no workloads are affected.
Preferred: use vSphere Lifecycle Manager (remediate against an updated image/baseline). Offline: upload the patch ZIP to a datastore and run esxcli software profile update -d /vmfs/volumes/<datastore>/<bundle>.zip -p <profile-name> (or vib update for a single VIB).
Reboot to activate the new build, then exit maintenance mode.
Confirm the new build with vmware -v, exit maintenance mode, and let DRS rebalance VMs back. Repeat host by host across the cluster.
- Patch one host at a time so the cluster keeps capacity and HA cover.
- Check VM hardware / driver compatibility for major version jumps before remediating.
Official sources
- Advisory: Broadcom / VMware Security Advisories (VMSA) ↗
- Download: Broadcom Support Portal ↗
Don't patch blind. VMware ESXi has 8 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent. See exactly which versions are safe and what you're exposed to.
VMware ESXi security status →Stay ahead of the next one
- VMware ESXi security status & health score — score, open CVEs and safe version.
- VMware ESXi vulnerabilities — the full CVE list and what's exploited.
- VMware ESXi end-of-life dates — don't run a release that's stopped getting fixes.
- Monitor VMware ESXi — get an email alert the moment a new exploited vulnerability lands.
Frequently asked questions
What is the latest version of VMware ESXi?
As of June 2026, the latest supported VMware ESXi release we track is 9.1.0.0. Patch to the current release on your branch and confirm the version after updating.
How do I check which version of VMware ESXi I am running?
Use: vmware -v —or— esxcli system version get (ESXi shell / SSH). Record the result before and after patching to confirm the update applied.
Is VMware ESXi being actively exploited right now?
Yes — 8 VMware ESXi vulnerabilities are on the CISA Known Exploited Vulnerabilities (KEV) list, so attackers are using them in the wild. Patch promptly. See the exploitation radar.
How do I patch VMware ESXi safely without breaking production?
Always test in a non-production environment first, take a backup or snapshot, follow the official vendor advisory, and have a tested rollback. Patch one node at a time for clustered or high-availability setups.
Patch steps are general, well-established guidance for VMware ESXi — always test in a non-production environment first and follow the official Broadcom / VMware advisory for your exact version. IsItPatched is independent and not affiliated with Broadcom / VMware; this is not a substitute for vendor documentation. See our disclaimer.