Does your business run on VMware vSphere? If so, continue reading. vSphere 7 is already past End of General Support. vSphere 8 will follow in October 2027. And on April 7, 2026, Anthropic disclosed an AI model that can autonomously find and weaponize zero-day vulnerabilities at industrial scale.
What does this mean for you and your business? If your business still runs on aging VMware hypervisors with no active patching pipeline, the collision course between these two timelines is the most under-discussed risk in enterprise IT today.
In April 2025, a ransomware crew encrypted the VMware ESXi hypervisors at UK retail giant Marks & Spencer. Online sales stopped, logistics ground to a halt, and estimated damage exceeded $400 million. The attackers were skilled humans chaining known techniques. The next generation of this attack will not require skilled humans, which can lead to a bigger crisis.
Below, we walk through the VMware vSphere 6.x to 9.x lifecycle, explain what End of General Support (EoGS) actually means, examine the current hypervisor threat landscape, and then turn to the development that changes the calculus entirely: Anthropic’s Claude Mythos Preview and Project Glasswing.
The thesis is simple: The calendar on unpatched software has always mattered. AI-scale vulnerability discovery is about to make it the defining risk of the next 24 months.
The VMware vSphere Lifecycle at a Glance
VMware’s (now Broadcom’s) enterprise infrastructure lifecycle policy gives each major vSphere release roughly five years of General Support followed by two years of Technical Guidance. General Support is where security patches, bug fixes, new hardware compatibility, and live engineer assistance live. Technical Guidance is the goodbye phase documentation and self-help only.
Here is the full lifecycle picture for the last four major versions, plus the current subscription-only release. The red marker shows where we are today.
The Dates That Matter, in Plain English
-
- vSphere 6.0 End of General Support: March 12, 2020. End of Technical Guidance: March 12, 2022. Fully unsupported.
-
- vSphere 6.5 & 6.7 End of General Support: October 15, 2022. End of Technical Guidance: November 15, 2023. Fully unsupported.
-
- vSphere 7.0 End of General Support: October 2, 2025 (extended six months from the original April 2025 date). End of Technical Guidance: October 2, 2027. Currently in Technical Guidance no new security patches.
-
- vSphere 8.0 End of General Support: October 11, 2027. End of Technical Guidance: October 11, 2029. The last version that could be purchased with a perpetual license.
-
- vSphere / VCF 9.0 Generally Available since June 17, 2025. Subscription-only. No perpetual license option.
What “End of General Support” Actually Means
End of General Support is the phrase vendors use when they want to sound collaborative about a date that should concern any CIO. Here is what each lifecycle phase actually delivers and takes away in practical terms.
The critical distinction most stakeholders miss: Technical Guidance is not patched software. It is documented software. When a new ESXi vulnerability is disclosed during that phase and new ones absolutely will be disclosed there is no fix coming. You are running an appliance that cannot be legitimately hardened against the next CVE, regardless of how much you pay for third-party support.
The Real-World Risk of Running Unpatched VMware (Today, Before AI)
Before we get to what Claude Mythos changes, it is worth grounding in what the existing human-scale threat landscape has already done to unpatched hypervisors.
CVE-2025-22225 a VMware ESXi arbitrary write vulnerability that allows attackers to escape the VMX sandbox and gain kernel-level access to the underlying hypervisor was patched by Broadcom in March 2025. In February 2026, CISA formally confirmed that ransomware groups are actively exploiting it in the wild. Huntress traced the associated toolkit back to February 2024, meaning attackers had a full year of silent exploitation before the fix existed.
This is the template for modern hypervisor attacks: chain a VM-to-host escape (like CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) with a credential compromise or Active Directory misconfiguration (like CVE-2024-37085, the “ESX Admins” group abuse), and the attacker goes from one foothold inside a guest VM to full control of every workload on the hypervisor in minutes.
Today, executing this attack chain at scale requires skilled operators. That fact has been the single biggest reason most organizations have gotten away with running EoGS infrastructure. In April 2026, that fact changed.
The Mythos Inflection Point
On April 7, 2026, Anthropic’s security research team published a technical disclosure describing a new frontier AI model called Claude Mythos Preview. Unlike a conventional product announcement, this was accompanied by a decision the company has never made before: Mythos Preview would not be released to the public. It would only be shared, under controlled conditions, with a small consortium of critical industry partners through an initiative called Project Glasswing. The reason: the model’s cybersecurity capabilities were assessed as too dangerous for broad deployment.
The reason is visible in the numbers. During internal testing, Mythos Preview autonomously identified thousands of previously unknown zero-day vulnerabilities across every major operating system and web browser. The examples Anthropic disclosed are worth reading carefully:
-
- A 27-year-old denial-of-service vulnerability in OpenBSD’s TCP SACK implementation an operating system famous for its security hardening. Discovered across roughly 1,000 scaffold runs at a total cost under $20,000.
-
- A 16-year-old flaw in FFmpeg’s H.264 codec, introduced in a 2003 commit and overlooked ever since. Anthropic noted the code had been hit five million times by automated testing tools without any of them catching the problem.
-
- CVE-2026-4747, a 17-year-old remote code execution vulnerability in FreeBSD’s NFS server. Mythos identified it, wrote the exploit, and demonstrated unauthenticated root access all without any human involvement after the initial prompt.
-
- A web browser exploit that chained four separate vulnerabilities, using a JIT heap spray to escape both the renderer sandbox and the operating system sandbox. This class of exploit chain has historically been the province of a few dozen elite security researchers worldwide.
-
- Multi-vulnerability Linux kernel privilege escalation chains involving KASLR bypasses, cross-cache heap reclamation, and credential structure overwrites to achieve root.
-
- Authentication bypasses in web applications, weaknesses in cryptography libraries covering TLS, AES-GCM, and SSH, and at least one guest-to-host escape in a memory-safe virtual machine monitor.
The Capability Jump, Quantified
Anthropic’s own benchmarks frame the scale of what changed between its previous frontier model (Opus 4.6) and Mythos Preview. One test is particularly stark: tasked with producing working exploits against the Firefox JavaScript engine, Opus 4.6 produced 2 exploits across several hundred attempts. Mythos Preview produced 181.
The economics are equally striking. Help Net Security, summarizing the Anthropic disclosure, reports that one documented exploit chain starting from a CVE identifier and a git commit hash completed in under a day at a total compute cost under $2,000. The broader finding rate comes in around $50 per vulnerability. For context: a nation-state cyber operation that once required a team of specialists and several months of effort is, at those price points, now a weekend project with an API key.
Anthropic’s own framing of the underlying dynamic is worth quoting:
Project Glasswing and the 11-Company Consortium
Anthropic’s response to what it found was to spin up Project Glasswing a controlled-access initiative giving Mythos Preview to a specific set of defenders so they can find and patch the vulnerabilities in their own code before Mythos-class capabilities become available elsewhere. The initial consortium includes Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks.
That Broadcom is on the list is not incidental to this article. It means the vendor responsible for VMware vSphere has direct, early access to the same AI capability that attackers will eventually replicate and that access is currently being used to find and fix vulnerabilities in actively supported VMware products. Customers running vSphere 8 and vSphere 9 will, over time, receive patches informed by that work. Customers running vSphere 6.x or vSphere 7 will not. There is no patch pipeline for software that is past EoGS. The defensive benefit of Glasswing flows only to supported versions.
When, Not If, This Capability Goes Broad
Anthropic was explicit about its reasoning for restricting Mythos Preview. The concern is not that the model itself will leak though, notably, news of Mythos first surfaced because of an inadvertent Anthropic data cache exposure weeks before the planned announcement. The concern is that other AI labs are building toward similar capabilities and will reach them on their own timelines, with their own safety postures, and their own access models.
Security industry commentary has converged on a rough window. Writing for HumAI.blog shortly after the disclosure, one analyst put it bluntly: other labs will reach this threshold within roughly 12 months. Rich Mogull, a veteran cloud security analyst, framed what that means operationally in a briefing summarized by Help Net Security:
It is worth absorbing that sentence. Log4Shell, the December 2021 Log4j vulnerability, was a once-in-several-years crisis that consumed entire security organizations for months. The forecast being floated by people who have looked at Mythos-class output is that events of similar severity will become a monthly occurrence somewhere across the enterprise software stack. Every one of those events produces new CVEs. Every one of those CVEs requires a patch. Every patch requires a vendor willing and able to ship one for your specific version.
What This Does to Unpatched Enterprise Software
The implication for any organization still running EoGS infrastructure is direct, and it compounds quickly.
First, the volume of discovered vulnerabilities in supported software is about to increase substantially. Even Glasswing-restricted use of Mythos is already generating high-severity findings faster than vendors can patch them. Anthropic disclosed that fewer than 1% of the bugs Mythos has uncovered have been fully patched as of the announcement. Those patches, as they ship, will disclose the underlying vulnerability classes. Attackers who cannot afford frontier AI access can still read public CVE databases, and public CVEs map directly onto unpatched systems.
Second, Mythos-class capability will eventually be broadly accessible whether through Anthropic’s own later products, competing labs, open-source model catch-up, or theft. Every analyst looking at this has framed the horizon in single-digit months to roughly two years. When that capability is available to anyone with an API key, the equation changes for every target that cannot receive patches:
-
- An EoGS vSphere host becomes a standing target. Today, a ransomware affiliate needs a CVE and a working exploit. Tomorrow, they can feed the hypervisor source to a Mythos-class model and ask it to find one. For currently-supported versions, the discovered bug becomes a patched bug in Broadcom’s next release. For EoGS versions, it simply becomes a weapon.
-
- Historical vulnerability exhaust surfaces all at once. Mythos has already demonstrated it can find 27-year-old bugs in code that has been reviewed and fuzzed for decades. The implication is not that those bugs are rare – it is that they are everywhere, waiting to be surfaced by the first machine patient enough to look. Every line of legacy code is a future CVE.
-
- The “obscurity” defense fully collapses. The argument that “we’re too small a target” has been weak since ransomware-as-a-service arrived. Mythos-class automation makes it structurally impossible: when scanning and exploit development both cost cents per target, there is no size of organization that is economically uninteresting.
-
- Cyber insurance becomes progressively unavailable for EoGS estates. Insurers were already tightening on unsupported software in 2025 and 2026. Roughly 22% of denied cyber claims involve outdated systems. Add AI-scale discovery of new vulnerabilities in those systems, and it is difficult to see how carriers continue to write coverage at rational premiums for organizations who cannot demonstrate a patching path.
A Safer Path Forward: VMware Private Cloud, Cloud Migration, and DRaaS
The honest assessment is this: every business currently running vSphere 7 or early 8 has to make a decision in the next 12 to 18 months. The decision is not whether to move the calendar and the AI curve has settled that. The decision is where to move, how to pay for it, and who absorbs the operational risk while you are in transition.
IT Vortex was built for this moment. As a Premier Broadcom VCSP Partner, we run enterprise-grade VMware infrastructure as a managed service so your workloads can leave the risk of aging, on-premise hypervisors behind without leaving the VMware ecosystem your team already knows. And because Broadcom is inside the Project Glasswing consortium, customers who stay on current, supported vSphere versions are downstream beneficiaries of the most significant defensive AI investment in the industry right now. Customers who stay on EoGS versions are not.
IT Vortex Cloud Hosting: Enterprise-Grade VMware, Without the Lifecycle Headache
Our Cloud Hosting (IaaS) platform is a fully managed, VMware-powered private cloud. You run your workloads on dedicated, resilient, high-performance infrastructure with the vSphere, vSAN, and NSX constructs your team already understands but you stop owning the parts of the VMware problem that Broadcom’s post-acquisition changes have made expensive and complicated:
-
- Licensing is our problem, not yours. We navigate Broadcom’s bundle changes, 72-core minimums, and subscription mechanics. You consume a predictable managed service.
-
- Patching and lifecycle are continuous. Your workloads always run on supported, actively-patched versions of vSphere. No EoGS cliffs. No panic upgrades. No question about whether the next CVE has a fix.
-
- Hardware refresh disappears from your capex plan. When the underlying hardware needs to refresh, that is our project, not yours.
-
- Your team keeps their skills. We do not ask you to retrain on a new hypervisor, re-platform your applications, or rewrite your automation. VMware is VMware.
Cloud Migration: A Structured Path Off Your Aging Estate
A well-run migration is the difference between a clean transition and a three-quarter firefight. IT Vortex’s Cloud Migration practice handles the full arc: discovery and dependency mapping on your current environment, target design on our managed platform, workload grouping and wave planning, replication and testing, cutover orchestration, and post-migration validation. We have moved estates off every vSphere version back to 6.x, and we have seen every variant of the “it worked on-prem” surprise. Your migration does not have to be a discovery project. It can be an execution project.
DRaaS: Making the Migration Double as a Resilience Upgrade
One of the more strategic moves available to companies in the vSphere end-of-support window is to couple migration with a Disaster Recovery as a Service (DRaaS) engagement. Instead of treating DR as an afterthought of the new environment, you start the migration as a DR replication, prove the target, and then cut over. The result: the same project that gets you off an unsupported hypervisor also leaves you with a tested, documented, low-RPO recovery capability exactly the kind of control cyber insurers now expect to see at renewal, and exactly the kind of resilience that survives a world where catastrophic CVEs arrive at a monthly cadence.
IT Vortex’s DRaaS platform is built on the same Broadcom VCSP-backed infrastructure, with per-workload RPO/RTO design, regular failover testing, and full integration with Veeam-based replication for customers already invested in that stack.
Don’t Let the Calendar or the Capability Curve Be Your Biggest Vulnerability
The vSphere end-of-support timeline is one of the few cybersecurity risks where every date is public, every consequence is documented, and every mitigation option exists today. The arrival of Claude Mythos Preview, and the Project Glasswing consortium it spawned, is the other half of the same picture: the vendors who are in the room right now are getting an AI-assisted head start on defending their supported products, while unpatched, out-of-lifecycle software sits in an increasingly exposed position relative to the attacker capability curve.
If your estate is still anchored to vSphere 6.x, 7.x, or early 8.x, the most valuable thing you can do this quarter is get a real answer to three questions: where is the exposure, what would a migration actually cost, and what does the clean target state look like? Those answers take days to produce not months when the right partner is involved. They tend to take years to produce internally when no one is formally accountable.
IT Vortex is a Premier Broadcom VCSP Partner headquartered in Paramus, NJ, delivering VMware-powered Cloud Hosting (IaaS), Desktop as a Service (DaaS), Disaster Recovery as a Service (DRaaS), Backup as a Service (BaaS), and Security as a Service (SECaaS) to enterprises across North America. Learn more at theitvortex.com or call 1 (844) 704-0684.
Sources and further reading: Anthropic red team disclosure (red.anthropic.com/2026/mythos-preview); Help Net Security coverage of Mythos Preview and Project Glasswing (April 2026); Council on Foreign Relations analysis of the Mythos release; Tom’s Hardware and The Hacker News reporting on Mythos capabilities; CISA KEV catalog entry for CVE-2025-22225; Broadcom VMware product lifecycle documentation; Huntress hypervisor ransomware data (H2 2025).
