https://www.vmware.com/security/advisories/VMSA-2022-0033.html

1. Is the USB 3.1 (xHCI) Controller affected?  The article only lists the USB 2.0 (EHCI) Controller, however the script they provide to remove it will remove all USB Controller versions.   We have hundreds of VMs with the USB 3.1 (xHCI) Controller and only a few using the 2.0 Controller

2. Are the ESXi 6.7 and 6.5 OSes affected as well?  The article only mentions ESXi 8.0 and 7.0 and are not sure if the older versions are not listed because they are no longer supported by VMware.

The KB specifically lists a problem with the USB 2.0 EHCI controllers, so one can assume that the xhci controllers are not affected.

I have tested adding and removing USB 2.0 and 3.1 controllers to a VM and I think the following code works:

# VMs with USB 1.1 or 2.0 EHCI controller 'USB controller'
Get-VM | ?{$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "USB controller"}

# VMs with USB 3.1 xHCI controller 'USB xHCI controller'
Get-VM | ?{$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "xhci"}

This vulnerability reinforces the thought that VMs should only be configured with the hardware they actually need to function.. 99.9% of the VMs I have looked after have no need for a virtual USB controller.