Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes the currently known issues with Azure VMware Solution.
Refer to the table to find details about resolution dates or possible workarounds. For more information about the different feature enhancements and bug fixes in Azure VMware Solution, see What's New.
| Issue | Date discovered | Workaround | Date resolved |
|---|---|---|---|
| ESXi hosts may experience operational issues if NSX Layer-2 DFW default rule logging is enabled. More information can be obtained in this Knowledge Base article from Broadcom. ESXi hosts may experience operational issues if L2 DFW default rule logging is enabled | May 2025 | It is not recommended to enable logging on the default Layer-2 DFW rule in a Production environment for any sustained period of time. If logging must be enabled on an L2 rule, it is advised to create a new L2 rule specific to the traffic flow in question and enable logging on that rule only. Please see Broadcom Knowledge Base Article 326455. | N/A |
| With VMware HCX versions 4.10.3 and earlier, attempts to download upgrade bundles or the Connector OVA directly from the HCX Manager UI (port 443) fail due to the decommissioning of the external image depot server. More information can be obtained in this Knowledge Base article from Broadcom. Upgrade Bundle Download from 443 UI will Fail in All HCX versions prior to 4.11 | April 2025 | We will begin upgrading all Azure VMware Solution customers to HCX 4.11.0 in the coming weeks, this will provide customers with access to the HCX Connector upgrade bundles, which will be stored on their vSAN datastore. Until then, all customers will need to submit a support request (SR) to obtain the required upgrade bundles. | May 2025 |
| VMSA-2025-0005 VMware Tools for Windows update addresses an authentication bypass vulnerability (CVE-2025-22230). | April 2025 | To remediate CVE-2025-22230, apply version 12.5.1 of VMware Tools, use the Azure VMware Solution Run command Set-Tools-Repo. |
May 2025 |
| If you're a user of AV64, you may notice a “Status of other hardware objects” alarm on your hosts in vCenter Server. This alarm doesn't indicate a hardware issue. It's triggered when the System Event Log (SEL) reaches its capacity threshold according to vCenter Server. Despite the alarm, the host remains healthy with no hardware-related error signatures detected, and no high availability (HA) events are expected as a result. It's safe to continue operating your private cloud without interruption. The alarm has only two possible states—green and red—with no intermediate warning state. Once the status changes to red, it will remain red even if conditions improve to what would typically qualify as a warning. | April 2025 | This alarm should be treated as a warning and won't affect operability of your private cloud. Microsoft adjusts thresholds for the alarm, so it doesn't alert in vCenter Server. | May 2025 |
| After deploying an AV48 private cloud, you may see a High pNIC error rate detected. Check the host's vSAN performance view for details if alert is active in the vSphere Client. | April 2025 | The alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | April 2025 |
| VMSA-2025-0004 VMCI Heap-overflow, ESXi arbitrary write, and Information disclosure vulnerabilities | March 2025 | Microsoft has verified the applicability of the vulnerabilities within the Azure VMware Solution service and have adjudicated the vulnerabilities at a combined adjusted Environmental Score of 9.4. Customers are advised to take additional precautions when granting administrative access to, and monitor any administrative activities on, guest VMs until the update is fully addressed. For additional information on the vulnerability and Microsoft’s involvement, please see this blog post. (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) | March 2025 - Resolved in ESXi 8.0_U2d |
| Issue 3464419: After upgrading HCX 4.10.2 users are unable to log in or perform various management operations. | 2024 | None | December 2024- Resolved in HCX 4.10.3 |
| After deploying an AV64 Cluster to my private cloud, the Cluster-N: vSAN Hardware compatibility issue alert is active in the vSphere client. | 2024 | The alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | 2024 |
| VMSA-2024-0021 VMware HCX addresses an authenticated SQL injection vulnerability (CVE-2024-38814) | 2024 | None | October 2024- Resolved in HCX 4.10.1, HCX 4.9.2 and HCX 4.8.3 |
| vCenter Server vpxd crashes when using special characters in network names with VMware HCX. For more information, see vpxd crashes with duplicate key value in "vpx_nw_assignment" when using HCX-IX for migrations (323283). | November 2024 | Avoid using special characters in your Azure VMware Solution network names. | November 2024 |
| New Standard private cloud deploys with vSphere 7, not vSphere 8 in Australia East region (Pods 4 and 5). | October 2024 | Pods 4 and 5 in Australia East have Hotfix deployed. | February 2025 |
| VMSA-2024-0020 VMware NSX command injection, local privilege escalation & content spoofing vulnerability | October 2024 | The vulnerability mentioned in the Broadcom document isn't applicable to Azure VMware Solution, as attack vector mentioned doesn't apply. | N/A |
| VMSA-2024-0019 Vulnerability in the DCERPC Protocol and Local Privilege Escalations | September 2024 | Microsoft, working with Broadcom, adjudicated the risk of CVE-2024-38812 at an adjusted Environmental Score of 6.8 and CVE-2024-38813 with an adjusted Environmental Score of 6.8. Adjustments from the base scores were possible due to the network isolation of the Azure VMware Solution vCenter Server DCERPC protocol access (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the Azure VMware Solution vCenter Server. Due to recent Broadcom updates on 11/18/2024, which changes the software version that resolves the issues, the fixes are delayed and VCF 5.2.1 support for Azure VMware Solution is in progress. | N/A |
| New Stretched Clusters private cloud deploys with vSphere 7, not vSphere 8. | September 2024 | Stretched Clusters Hotfix deployed. | February 2025 |
| Zerto DR isn't currently supported with the AV64 SKU. The AV64 SKU uses ESXi host secure boot and Zerto DR hasn't implemented a signed VIB for the ESXi install. | 2024 | Continue using the AV36, AV36P, and AV52 SKUs for Zerto DR. Zerto is working on AV64 support for CY2025. | N/A |
| AV36P SKU new private cloud deploys with vSphere 7, not vSphere 8. | September 2024 | AV36P SKU Hotfix deployed, issue resolved. | September 2024 |
| VMSA-2024-0011 Out-of-bounds read/write vulnerability (CVE-2024-22273) | June 2024 | Microsoft has confirmed the applicability of the CVE-2024-22273 vulnerability and it will be addressed in ESXi 8.0u2b. | July 2024 - Resolved in ESXi 8.0 U2b |
| VMSA-2024-0013 (CVE-2024-37085) VMware ESXi Active Directory Integration Authentication Bypass | July 2024 | Azure VMware Solution doesn't provide Active Directory integration and isn't vulnerable to this attack. | N/A |
| VMSA-2024-0012 Multiple Vulnerabilities in the DCERPC Protocol and Local Privilege Escalations | June 2024 | Microsoft, working with Broadcom, adjudicated the risk of these vulnerabilities at an adjusted Environmental Score of 6.8 or lower. Adjustments from the base score were possible due to the network isolation of the Azure VMware Solution vCenter Server (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the vCenter Server network segment. | November 2024 - Resolved in vCenter Server 8.0_U2d |
| VMSA-2024-0006 ESXi Use-after-free and Out-of-bounds write vulnerability | March 2024 | For ESXi 7.0, Microsoft worked with Broadcom on an AVS specific hotfix as part of the ESXi 7.0U3o rollout. For the 8.0 rollout, Azure VMware Solution is deploying vCenter Server 8.0 U2b & ESXi 8.0 U2b which isn't vulnerable. | August 2024 - Resolved in ESXi 7.0U3o and vCenter Server 8.0 U2b & ESXi 8.0 U2b |
| VMware HCX version 4.8.0 Network Extension (NE) Appliance VMs running in High Availability (HA) mode may experience intermittent Standby to Active failover. For more information, see HCX - NE appliances in HA mode experience intermittent failover (96352) | Jan 2024 | Avoid upgrading to VMware HCX 4.8.0 if you're using NE appliances in a HA configuration. | Feb 2024 - Resolved in VMware HCX 4.8.2 |
| When I run the VMware HCX Service Mesh Diagnostic wizard, all diagnostic tests will be passed (green check mark), yet failed probes will be reported. See HCX - Service Mesh diagnostics test returns 2 failed probes | 2024 | Fixed in 4.9+. | Resolved in HCX 4.9.2 |
| The AV64 SKU currently supports RAID-1 FTT1, RAID-5 FTT1, and RAID-1 FTT2 vSAN storage policies. For more information, see AV64 supported RAID configuration | Nov 2023 | The AV64 SKU now supports 7 Fault Domains and all vSAN storage policies. For more information, see AV64 supported Azure regions | June 2024 |
| VMSA-2023-023 VMware vCenter Server Out-of-Bounds Write Vulnerability (CVE-2023-34048) publicized in October 2023 | October 2023 | A risk assessment of CVE-2023-03048 was conducted and it was determined that sufficient controls are in place within Azure VMware Solution to reduce the risk of CVE-2023-03048 from a CVSS Base Score of 9.8 to an adjusted Environmental Score of 6.8 or lower. Adjustments from the base score were possible due to the network isolation of the Azure VMware Solution vCenter Server (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the vCenter Server network segment. Azure VMware Solution is currently rolling out 7.0U3o to address this issue. | March 2024 - Resolved in ESXi 7.0U3o |
| After my private cloud NSX-T Data Center upgrade to version 3.2.2, the NSX-T Manager DNS - Forwarder Upstream Server Timeout alarm is raised | February 2023 | Enable private cloud internet Access, alarm is raised because NSX-T Manager can't access the configured Cloudflare DNS server. Otherwise, change the default DNS zone to point to a valid and reachable DNS server. | February 2023 |
| After my private cloud NSX-T Data Center upgrade to version 3.2.2, the NSX-T Manager Capacity - Maximum Capacity Threshold alarm is raised | 2023 | Alarm raised because there are more than four clusters in the private cloud with the medium form factor for the NSX-T Data Center Unified Appliance. The form factor needs to be scaled up to large. This issue should get detected through Microsoft, however you can also open a support request. | 2023 |
| When I build a VMware HCX Service Mesh with the Enterprise license, the Replication Assisted vMotion Migration option isn't available. | 2023 | The default VMware HCX Compute Profile doesn't have the Replication Assisted vMotion Migration option enabled. From the Azure VMware Solution vSphere Client, select the VMware HCX option and edit the default Compute Profile to enable Replication Assisted vMotion Migration. | 2023 |
| When first logging in to the vSphere Client, the Cluster-n: vSAN health alarms are suppressed alert is active in the vSphere Client | 2021 | The alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | 2021 |
| When adding a cluster to my private cloud, the Cluster-n: vSAN physical disk alarm 'Operation' and Cluster-n: vSAN cluster alarm 'vSAN Cluster Configuration Consistency' alerts are active in the vSphere Client | 2021 | This alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | 2021 |
| VMSA-2021-002 ESXiArgs OpenSLP vulnerability publicized in February 2023 | 2021 | Disable OpenSLP service | February 2021 - Resolved in ESXi 7.0 U3c |
In this article, you learned about the current known issues with the Azure VMware Solution.
For more information, see About Azure VMware Solution.