Broadcom published a security advisory on July 14, 2026 patching seven serious vulnerabilities in VMware Avi Load Balancer, the software-defined ADC (application delivery controller) platform used to load-balance, secure, and analyze web application traffic in hybrid and multi-cloud environments. The headline flaw — CVE-2026-47865 — is a Critical (CVSS 9.8) authentication bypass that allows a network-adjacent attacker to take over the Avi control plane with no credentials. Six additional high-severity bugs enable RCE (authenticated), further auth bypass, root privilege escalation, and directory traversal. No in-the-wild exploitation has been confirmed, but VMware product vulnerabilities have a strong historical record of rapid weaponization.

What the Vulnerabilities Are

All seven CVEs were discovered by two external researchers: Filip Waeytens of NATO’s technology and cyber hub (CVE-2026-47865, 47866, 47867, 47868, 47869) and Lang Khuong Duy of Viettel IDC (CVE-2026-47869, 47870, 47871). Broadcom responsibly credited both and released patches on July 14, 2026.

CVESeverityCVSSDescriptionAccess Required
CVE-2026-47865Critical9.8Authentication bypass → control plane takeoverNetwork access
CVE-2026-47866High~8.xAuthentication bypass (secondary path)Network access
CVE-2026-47867High~8.xArbitrary code executionNetwork + auth bypass chain
CVE-2026-47868High~8.xPrivilege escalation to rootLocal or network
CVE-2026-47869High~8.xRCE (authenticated attacker with network access)Network, authenticated
CVE-2026-47870High~8.xPrivilege escalationLocal
CVE-2026-47871High~8.xDirectory traversalNetwork

Note: Exact CVSS scores for CVE-2026-47866 through 47871 were not published in detail in the Broadcom advisory as reproduced by SecurityWeek and CybersecurityNews; only CVE-2026-47865’s score of 9.8 is confirmed from the advisory. High-severity band (~7.x–8.x) is stated; exact numbers will be available in the Broadcom advisory directly.

Attack chain concern: CVE-2026-47865 (unauthenticated control-plane access) can be chained with CVE-2026-47867 (RCE after auth) and CVE-2026-47868 (root privilege escalation) to achieve unauthenticated root RCE on the Avi controller. The directory traversal (CVE-2026-47871) may expose sensitive configuration and TLS certificates.

Why It Matters

  • The Avi control plane manages all load-balancing rules, TLS certificates, health checks, and WAF policies for every application the balancer fronts. A control-plane compromise means an attacker can redirect traffic, disable WAF protections, intercept TLS, or take down all load-balanced services simultaneously.
  • VMware product flaws have a strong track record of rapid post-disclosure exploitation. VMware Aria Operations, ESXi, vCenter, and NSX vulnerabilities have repeatedly been weaponized by ransomware operators and nation-state groups within days of public advisory. This patch should be treated with ESXi-level urgency.
  • The NATO researcher finding strongly suggests the bug has meaningful real-world attack surface — organizations running Avi in environments with sophisticated adversaries (government, finance, defense) should treat this as an immediate risk.
  • Seven bugs in a single product means the attack surface is deep; defenders cannot rely on patching one CVE and calling it done.

Am I Affected?

You are at risk if you run:

  • VMware Avi Load Balancer (formerly NSX Advanced Load Balancer / Avi Networks) in any version prior to the July 2026 patch release, in any environment (on-premises, VMware Cloud, hybrid cloud, multi-cloud)
  • The Avi control plane is exposed to any untrusted network segment or to the internet

You are likely not at risk if:

  • Your Avi controller is strictly air-gapped with no network paths from untrusted hosts
  • You have already applied the July 14, 2026 Broadcom security patch

Check your Avi version by logging into the Avi UI → Administration → Controller → About. Compare against the fixed version listed in Broadcom Advisory ID 37926 at support.broadcom.com.

What to Do About It: Step-by-Step

  1. Log into the Broadcom Support Portal at support.broadcom.com and locate Security Advisory ID 37926 for the exact patch version and download link.

  2. Check your current Avi Controller version:

    • In the Avi UI: Administration → Controller → About
    • Or via CLI: show version on the controller
  3. Take a snapshot / backup of the Avi controller configuration before patching:

    • UI: Administration → Controller → Backup → Create Backup Now
    • This is especially important because the patch addresses memory management and auth logic — a rollback point is critical.
  4. Apply the patch:

    • Follow Broadcom’s documented upgrade procedure for your deployment type (single-node vs. cluster)
    • For clustered deployments: patch the leader controller first, then follower nodes
    • Monitor the upgrade in UI: Administration → Controller → Software
  5. Post-patch verification:

    • Confirm the version shown in About matches the patched release
    • Verify all virtual services are health-green in the Avi dashboard
    • Confirm WAF policies, SSL profiles, and health monitors are intact
  6. If immediate patching is not possible (temporary mitigations):

    • Restrict access to the Avi Controller management IP to trusted management hosts only, using firewall ACLs or Security Groups
    • Enable Avi’s built-in “Restrict management plane access” feature if available in your version
    • Audit Avi controller access logs for anomalous authentication attempts
  7. Audit credentials and API tokens issued by the Avi control plane — if exploitation cannot be ruled out, rotate all Avi service accounts, API keys, and cloud-provider credentials managed by Avi.

Quick-Win Checklist

  • Identified all Avi Load Balancer controller instances in the environment
  • Compared current version against the fixed version in Broadcom Advisory 37926
  • Backed up Avi controller configuration before patching
  • Applied July 2026 patch to all controllers (leader then followers in cluster)
  • Confirmed all virtual services healthy post-patch
  • Verified WAF policies and SSL certificates intact
  • Firewalled Avi management interface to trusted hosts only (belt-and-suspenders)
  • No unexplained admin accounts or API keys found in the Avi system

Sources