Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes the currently known issues with Azure VMware Solution.
Refer to the table to find details about resolution dates or possible workarounds. For more information about the different feature enhancements and bug fixes in Azure VMware Solution, see What's New.
| Issue | Date discovered | Workaround | Date resolved | 
|---|---|---|---|
| Compression and deduplication are disabled by default in vSAN OSA-based clusters. This behavior is observed starting from Cluster-2 onwards, whereas Cluster-1 was deployed with the default configuration. | September 29, 2025 | To remediate, use existing Set-vSANCompressDedupe Run command to enable Compression and Deduplication. Click the link to learn more about Set-vSANCompressDedupe cmdlet. | N/A | 
| VMSA-2025-0016 VMware vCenter Server and NSX updates address multiple vulnerabilities (CVE-2025-41250, CVE-2025-41251, CVE-2025-41252). | September 29, 2025 | These vulnerabilities do not apply to Azure VMware Solution since we have existing compensating controls to mitigate the risk of exploitation. | N/A | 
| VMSA-2025-0015 VMware Aria Operations and VMware Tools updates address multiple vulnerabilities (CVE-2025-41244, CVE-2025-41245, CVE-2025-41246). | September 29, 2025 | Microsoft has confirmed these vulnerabilities affect Azure VMware Solution. Microsoft strongly recommends immediately upgrading VMware Aria Operations and VMware Tools for remediation. To remediate CVE-2025-41244, apply version 12.5.4 or 13.0.5 of VMware Tools using the Azure VMware Solution Run command Set-Tools-Repo. | September 29, 2025 | 
| VMSA-2025-0014 VMware vCenter Server updates address a denial-of-service vulnerability. | July 29, 2025 | Microsoft is aware of VMSA-2025-0014, which details a moderate-severity denial-of-service vulnerability in vCenter Server. Our security assessment has determined that this issue poses a low risk to the Azure VMware Solution platform. This vulnerability will be addressed as part of our regular, scheduled maintenance and update cycles. No immediate action is required from customers. | N/A | 
| VMSA-2025-0013 VMXNET3 integer-overflow, VMCI integer-underflow, PVSCSI heap-overflow, and vSockets information-disclosure vulnerabilities. | July 15, 2025 | Microsoft verified the applicability of the vulnerabilities within the Azure VMware Solution service and adjudicated the vulnerabilities at a combined adjusted Environmental Score of 9.3. Customers are advised to take extra precautions when granting administrative access to guest VMs until the update is addressed. For additional information on the vulnerability, see this blog post (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239). | July 29, 2025 - Resolved in ESXi 8.0_U3f | 
| Changing the default NSX Tier-1 name may cause some NSX features added through the Azure portal, such as DNS Zone and the Segment page, to not function as expected. | June 2025 | Azure VMware Solution uses the NSX Tier-1 name "TNTxx-T1" (where xx is the internal tenant ID) for these features. Therefore do not change the default Tier-1 name. | N/A | 
| Creating stateful gateway firewall rules associated with Azure VMware Solution default NSX-T tier-0 router causes unwanted/unexpected behavior. | May 2025 | Azure VMware Solution deploys with a stateless NSX-T tier-0 router. As such, stateful firewall rules are incompatible even though the NSX-T UI may allow it. Apply stateful services and/or firewall rules at the tier-1 router. | N/A | 
| Azure VMware Solution hosts, may see a High pNIC errors due to buffer overflows. Getting alarm in relation to "High pNic error rate detected" on hosts in vSAN clusters when using Mellanox NICs | June 2025 | The alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | N/A | 
| VMSA-2025-0012 Multiple vulnerabilities (CVE-2025-22243, CVE-2025-22244, CVE-2025-22245) identified in VMware NSX. | May 2025 | The vulnerability described in the Broadcom document does not apply to Azure VMware Solution due to existing compensating controls mitigate the risk of exploitation. | The upcoming version of NSX includes the patch to address this vulnerability. | 
| VMSA-2025-0010 Multiple vulnerabilities (CVE-2025-41225, CVE-2025-41226, CVE-2025-41227, CVE-2025-41228) have been identified in VMware ESXi and vCenter Server. | May 2025 | Microsoft confirmed the applicability of these vulnerabilities in Azure VMware Solution. Existing security controls, including cloudadmin role restrictions and network isolation, are deemed to significantly mitigate the impact of these vulnerabilities before official patching. The vulnerabilities adjudicated with a combined adjusted Environmental Score of 6.8 within the Azure VMware Solution. Until the update is addressed, customers are advised to exercise caution when granting administrative access to guest virtual machines and to actively monitor any administrative activities performed on them. | N/A | 
| VMSA-2025-0007 VMware Tools update addresses an insecure file handling vulnerability (CVE-2025-22247). | May 2025 | To remediate CVE-2025-22247, apply version 12.5.2 of VMware Tools using the Azure VMware Solution Run command Set-Tools-Repo. | May 2025 | 
| ESXi hosts may experience operational issues if NSX Layer-2 DFW default rule logging is enabled. More information can be obtained in this Knowledge Base article from Broadcom: ESXi hosts may experience operational issues if L2 DFW default rule logging is enabled. | May 2025 | It is not recommended to enable logging on the default Layer-2 DFW rule in a Production environment for any sustained period of time. If logging must be enabled on an L2 rule, it is advised to create a new L2 rule specific to the traffic flow in question and enable logging on that rule only. See Broadcom Knowledge Base Article 326455.. | N/A | 
| With VMware HCX versions 4.10.3 and earlier, attempts to download upgrade bundles or the Connector OVA directly from the HCX Manager UI (port 443) fail due to the decommissioning of the external image depot server. More information can be obtained in this Knowledge Base article from Broadcom: Upgrade Bundle Download from 443 UI will Fail in All HCX versions before 4.11 | April 2025 | We begin upgrading all Azure VMware Solution customers to HCX 4.11.0 in the coming weeks, this will provide customers with access to the HCX Connector upgrade bundles, which will be stored on their vSAN datastore. Until then, all customers will need to submit a support request (SR) to obtain the required upgrade bundles. | May 2025 | 
| VMSA-2025-0005 VMware Tools for Windows update addresses an authentication bypass vulnerability (CVE-2025-22230). | April 2025 | To remediate CVE-2025-22230, apply version 12.5.1 of VMware Tools using the Azure VMware Solution Run command Set-Tools-Repo. | May 2025 | 
| If you're a user of AV64, you may notice a “Status of other hardware objects” alarm on your hosts in vCenter Server. This alarm doesn't indicate a hardware issue. It's triggered when the System Event Log (SEL) reaches its capacity threshold according to vCenter Server. Despite the alarm, the host remains healthy with no hardware-related error signatures detected, and no high availability (HA) events are expected as a result. It's safe to continue operating your private cloud without interruption. The alarm has only two possible states—green and red—with no intermediate warning state. Once the status changes to red, it will remain red even if conditions improve to what would typically qualify as a warning. | April 2025 | This alarm should be treated as a warning and won't affect operability of your private cloud. Microsoft adjusts thresholds for the alarm so it doesn't alert in vCenter Server. You can close the message in vCenter, which clears it until it reoccurs. | October 2025 | 
| After deploying an AV48 private cloud, you may see a High pNIC error rate detected. Check the host's vSAN performance view for details if alert is active in the vSphere Client. | April 2025 | The alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | April 2025 | 
| VMSA-2025-0004 VMCI Heap-overflow, ESXi arbitrary write, and Information disclosure vulnerabilities. | March 2025 | Microsoft verified the applicability of the vulnerabilities within the Azure VMware Solution service and adjudicated the vulnerabilities at a combined adjusted Environmental Score of 9.4. Customers are advised to take extra precautions when granting administrative access to guest VMs until the update is addressed. For additional information on the vulnerability and Microsoft’s involvement, see this blog post. (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) | March 2025 - Resolved in ESXi 8.0_U2d | 
| Issue 3464419: After upgrading HCX 4.10.2 users are unable to log in or perform various management operations. | 2024 | None | December 2024- Resolved in HCX 4.10.3 | 
| After deploying an AV64 Cluster to my private cloud, the Cluster-N: vSAN Hardware compatibility issue alert is active in the vSphere client. | 2024 | The alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | 2024 | 
| VMSA-2024-0021 VMware HCX addresses an authenticated SQL injection vulnerability (CVE-2024-38814) | 2024 | None | October 2024- Resolved in HCX 4.10.1, HCX 4.9.2 and HCX 4.8.3 | 
| vCenter Server vpxd crashes when using special characters in network names with VMware HCX. For more information, see vpxd crashes with duplicate key value in "vpx_nw_assignment" when using HCX-IX for migrations (323283). | November 2024 | Avoid using special characters in your Azure VMware Solution network names. | November 2024 | 
| New Standard private cloud deploys with vSphere 7, not vSphere 8 in Australia East region (Pods 4 and 5). | October 2024 | Pods 4 and 5 in Australia East have Hotfix deployed. | February 2025 | 
| VMSA-2024-0020 VMware NSX command injection, local privilege escalation & content spoofing vulnerability. | October 2024 | The vulnerability mentioned in the Broadcom document isn't applicable to Azure VMware Solution, as the attack vector mentioned doesn't apply. | N/A | 
| VMSA-2024-0019 Vulnerability in the DCERPC Protocol and Local Privilege Escalations | September 2024 | Microsoft, working with Broadcom, adjudicated the risk of CVE-2024-38812 at an adjusted Environmental Score of 6.8 and CVE-2024-38813 with an adjusted Environmental Score of 6.8. Adjustments from the base scores were possible due to the network isolation of the Azure VMware Solution vCenter Server DCERPC protocol access (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the Azure VMware Solution vCenter Server. Due to recent Broadcom updates on 11/18/2024, which changes the software version that resolves the issues, the fixes are delayed and VCF 5.2.1 support for Azure VMware Solution is in progress. | N/A | 
| New Stretched Clusters private cloud deploys with vSphere 7, not vSphere 8. | September 2024 | Stretched Clusters Hotfix deployed. | February 2025 | 
| Zerto DR isn't currently supported with the AV64 SKU. The AV64 SKU uses ESXi host secure boot and Zerto DR hasn't implemented a signed VIB for the ESXi install. | 2024 | Zerto DR now fully supports AV64. | April 2025 | 
| AV36P SKU new private cloud deploys with vSphere 7, not vSphere 8. | September 2024 | AV36P SKU Hotfix deployed, issue resolved. | September 2024 | 
| VMSA-2024-0011 Out-of-bounds read/write vulnerability (CVE-2024-22273) | June 2024 | Microsoft has confirmed the applicability of the CVE-2024-22273 vulnerability and it will be addressed in ESXi 8.0u2b. | July 2024 - Resolved in ESXi 8.0 U2b | 
| VMSA-2024-0013 (CVE-2024-37085) VMware ESXi Active Directory Integration Authentication Bypass | July 2024 | Azure VMware Solution doesn't provide Active Directory integration and isn't vulnerable to this attack. | N/A | 
| VMSA-2024-0012 Multiple Vulnerabilities in the DCERPC Protocol and Local Privilege Escalations | June 2024 | Microsoft, working with Broadcom, adjudicated the risk of these vulnerabilities at an adjusted Environmental Score of 6.8 or lower. Adjustments from the base score were possible due to the network isolation of the Azure VMware Solution vCenter Server (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the vCenter Server network segment. | November 2024 - Resolved in vCenter Server 8.0_U2d | 
| VMSA-2024-0006 ESXi Use-after-free and Out-of-bounds write vulnerability | March 2024 | For ESXi 7.0, Microsoft worked with Broadcom on an AVS specific hotfix as part of the ESXi 7.0U3o rollout. For the 8.0 rollout, Azure VMware Solution is deploying vCenter Server 8.0 U2b & ESXi 8.0 U2b which isn't vulnerable. | August 2024 - Resolved in ESXi 7.0U3o and vCenter Server 8.0 U2b & ESXi 8.0 U2b | 
| VMware HCX version 4.8.0 Network Extension (NE) Appliance VMs running in High Availability (HA) mode may experience intermittent Standby to Active failover. For more information, see HCX - NE appliances in HA mode experience intermittent failover (96352) | Jan 2024 | Avoid upgrading to VMware HCX 4.8.0 if you're using NE appliances in a HA configuration. | Feb 2024 - Resolved in VMware HCX 4.8.2 | 
| When I run the VMware HCX Service Mesh Diagnostic wizard, all diagnostic tests will be passed (green check mark), yet failed probes will be reported. See HCX - Service Mesh diagnostics test returns 2 failed probes | 2024 | Fixed in 4.9+. | Resolved in HCX 4.9.2 | 
| The AV64 SKU currently supports RAID-1 FTT1, RAID-5 FTT1, and RAID-1 FTT2 vSAN storage policies. For more information, see AV64 supported RAID configuration | Nov 2023 | The AV64 SKU now supports 7 Fault Domains and all vSAN storage policies. For more information, see AV64 supported Azure regions | June 2024 | 
| VMSA-2023-023 VMware vCenter Server Out-of-Bounds Write Vulnerability (CVE-2023-34048) publicized in October 2023 | October 2023 | A risk assessment of CVE-2023-03048 was conducted and it was determined that sufficient controls are in place within Azure VMware Solution to reduce the risk of CVE-2023-03048 from a CVSS Base Score of 9.8 to an adjusted Environmental Score of 6.8 or lower. Adjustments from the base score were possible due to the network isolation of the Azure VMware Solution vCenter Server (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the vCenter Server network segment. Azure VMware Solution is currently rolling out 7.0U3o to address this issue. | March 2024 - Resolved in ESXi 7.0U3o | 
| After my private cloud NSX-T Data Center upgrade to version 3.2.2, the NSX-T Manager DNS - Forwarder Upstream Server Timeout alarm is raised | February 2023 | Enable private cloud internet Access, alarm is raised because NSX-T Manager can't access the configured Cloudflare DNS server. Otherwise, change the default DNS zone to point to a valid and reachable DNS server. | February 2023 | 
| After my private cloud NSX-T Data Center upgrade to version 3.2.2, the NSX-T Manager Capacity - Maximum Capacity Threshold alarm is raised | 2023 | Alarm raised because there are more than four clusters in the private cloud with the medium form factor for the NSX-T Data Center Unified Appliance. The form factor needs to be scaled up to large. This issue should get detected through Microsoft, however you can also open a support request. | 2023 | 
| When I build a VMware HCX Service Mesh with the Enterprise license, the Replication Assisted vMotion Migration option isn't available. | 2023 | The default VMware HCX Compute Profile doesn't have the Replication Assisted vMotion Migration option enabled. From the Azure VMware Solution vSphere Client, select the VMware HCX option and edit the default Compute Profile to enable Replication Assisted vMotion Migration. | 2023 | 
| When first logging in to the vSphere Client, the Cluster-n: vSAN health alarms are suppressed alert is active in the vSphere Client | 2021 | The alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | 2021 | 
| When adding a cluster to my private cloud, the Cluster-n: vSAN physical disk alarm 'Operation' and Cluster-n: vSAN cluster alarm 'vSAN Cluster Configuration Consistency' alerts are active in the vSphere Client | 2021 | This alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | 2021 | 
| VMSA-2021-002 ESXiArgs OpenSLP vulnerability publicized in February 2023 | 2021 | Disable OpenSLP service | February 2021 - Resolved in ESXi 7.0 U3c | 
In this article, you learned about the current known issues with the Azure VMware Solution.
For more information, see About Azure VMware Solution.