UCF STIG Viewer Logo

The ESXi host must have all security patches and updates installed.


Finding ID Version Rule ID IA Controls Severity
V-258776 ESXI-80-000221 SV-258776r933389_rule High
Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities.
VMware vSphere 8.0 ESXi Security Technical Implementation Guide 2023-10-11


Check Text ( C-62516r933387_chk )
Determine the current version and build:

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Summary. Note the version string next to "Hypervisor:".


From a Secure Shell (SSH) session connected to the ESXi host, or from the ESXi shell, run the following command:

# vmware -v

If the ESXi host does not have the latest patches, this is a finding.

If the ESXi host is not on a supported release, this is a finding.

The latest ESXi versions and their build numbers can be found here: https://kb.vmware.com/s/article/2143832

VMware also publishes advisories on security patches and offers a way to subscribe to email alerts for them.

Go to: https://www.vmware.com/support/policies/security_response
Fix Text (F-62425r933388_fix)
ESXi can be patched in multiple ways, and this fix text does not cover all methods.

Manual patching when image profiles are not used:

- Download the latest "offline bundle" .zip update from vmware.com. Verify the hash.

- Transfer the file to a datastore accessible by the ESXi host, local or remote.

- Put the ESXi host into maintenance mode.

- From an ESXi shell, run the following command:

esxcli software vib update -d

Manual patching when image profiles are used:

From an ESXi shell, run the following command:

# esxcli software sources profile list -d /vmfs/volumes//

Note the available profiles. The organization will usually want the one ending in "-standard".

# esxcli software profile update -p -d /vmfs/volumes//

There will be little output during the update. Once complete, reboot the host for changes to take effect.