This bug CSCwa45730 [Known Fixed Releases] contains 5.0(1c) as fixed. This is incorrect. I opened a Cisco HXDP support case to clarify and indeed, 5.0(1c) is vulnerable.  Only HXDP containing ESXi 7.0U3i or later with an upgrade to HXDP 5.0(2a) or later is fixed. I requested that Cisco update the bug [Known Fixed Releases] to address this documentation defect.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa45730

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/SA/sw-advisory-esxi-release-7-2-3.html

https://kb.vmware.com/s/article/88856

Support for ESXi 7.0U3 began to be included with HXDP 5.0(2a). Confusingly the bug report shows 5.0(1c) as also fixed, but 5.0(1c) is at the ESXi 7.0U2 level, so is not fixed.

https://www.cisco.com/c/en/us/td/docs/hyperconverged_systems/HyperFlex_HX_DataPlatformSoftware/HyperFlex-Release-Notes/HX-Release-5-0/Cisco-HXDataPlatform-RN-5-0.html

https://www.cisco.com/c/en/us/td/docs/hyperconverged_systems/HyperFlex_HX_DataPlatformSoftware/HyperFlex-Release-Notes/hx-release-5-5/Cisco-HXDataPlatform-RN-5-5.html

Fixed version of ESXi 7.0U3i is build 20842708

https://kb.vmware.com/s/article/2143832

The latest Cisco custom image of ESXi 7.0U3 is 7.0U3n build 21930508

https://software.cisco.com/download/home/286305544/type/286312290/release/7.0.U3?catid=286305510