Enterprises are ditching VMware for Proxmox, but forget to apply updates, security firm warns
Broadcom pricing hikes are triggering an exodus from VMware, with an open-source alternative, Proxmox, gaining serious traction within enterprise organizations. However, rushed migrations often result in outdated deployments, which have raised security concerns.
Both VMware ESXi and Proxmox are hypervisors, a type of software that enables companies to run multiple virtual machines and provide various services, from websites to internal business tools, on shared infrastructure.
VMware is proprietary, whereas Proxmox is built on open-source technology. After Broadcom, a major tech company, acquired VMware, its pricing and subscription structure were transformed significantly, leading to “big bills.”
Proxmox, meanwhile, can be used for free and therefore is highly popular among home lab enthusiasts. But enterprises typically pay for access to the latest reliable software updates, security enhancements, and technical support.
“Proxmox is starting to gain serious traction within enterprise organizations,” the exposure management platform runZero said in a blog post.
“Over the last year, we’ve seen a massive increase in deployed Proxmox VE systems.”
The firm acknowledges that “VMware customers have had a tough time lately, as Broadcom’s licensing changes “have pushed folks to seek alternatives, and many are turning to the open-source Proxmox Virtual Environment (VE) as a replacement.”
Proxmox isn’t the only alternative. Some system integrators have been pointing to XCP-ng, another open-source hypervisor with architecture and management tools that closely resemble VMware’s stack.
“There’s some very large-scale – thousands of VMs – that we’ve managed for clients and done large-scale migrations off of VMWare,” Lawrence Systems previously said.
But there’s a problem: many outdated deployments
With a massive deployment of Proxmox, runZero noted a worrying trend: many of the installations are increasingly out of date or even reaching end-of-life.
Most of the deployed instances are running “stale” Proxmox versions ranging from 8.0.3 to 8.4.13.
“The two latest versions of Proxmox VE are 9.0.11 and 8.4.14. All versions of Proxmox prior to 8 are end-of-life (EoL),” runZero warns.
“Importantly, the entire operating system no longer receives security updates, not just the Proxmox VE software. This means that every new vulnerability in Debian may also impact these older versions, including supporting services like OpenSSH.”
The blog doesn’t provide exact numbers. However, the chart suggests that outdated deployments of Proxmox are many times more numerous than supported ones.
“Only a small minority of users are keeping up with patches,” the firm said.
EoL systems are the most vulnerable, as the creator is no longer tracking vulnerabilities, and the likelihood of flaws increases, potentially leading to security breaches and attacks. The runZero platform helps clients track outdated software.
Proxmox releases are closely tied to the Debian (Linux distribution) schedule: every major version is supported for a period of three years.
“Proxmox VE 8, the previous major version, is supported until June of 2026, three years after the Debian 12 (Bookworm) release.”
It’s likely that most teams deploy the latest stable version of Proxmox, but as it continues to run, the updates often get pushed aside. Major version updates, according to Proxmox, require careful planning, testing, and ensuring that current backups are up to date.
“Minor version upgrades, for example, upgrading from Proxmox VE in version 8.1 to 8.2 or 8.3, can be done just like any normal update. But you should still check the release notes for any relevant notable or breaking change,” Proxmox’s support page reads.
Unlock more exclusive Cybernews content on YouTube.
