Broadcom published a security advisory on July 14, 2026 patching seven serious vulnerabilities in VMware Avi Load Balancer, the software-defined ADC (application delivery controller) platform used to load-balance, secure, and analyze web application traffic in hybrid and multi-cloud environments. The headline flaw — CVE-2026-47865 — is a Critical (CVSS 9.8) authentication bypass that allows a network-adjacent attacker to take over the Avi control plane with no credentials. Six additional high-severity bugs enable RCE (authenticated), further auth bypass, root privilege escalation, and directory traversal. No in-the-wild exploitation has been confirmed, but VMware product vulnerabilities have a strong historical record of rapid weaponization.
What the Vulnerabilities Are
All seven CVEs were discovered by two external researchers: Filip Waeytens of NATO’s technology and cyber hub (CVE-2026-47865, 47866, 47867, 47868, 47869) and Lang Khuong Duy of Viettel IDC (CVE-2026-47869, 47870, 47871). Broadcom responsibly credited both and released patches on July 14, 2026.
| CVE | Severity | CVSS | Description | Access Required |
|---|---|---|---|---|
| CVE-2026-47865 | Critical | 9.8 | Authentication bypass → control plane takeover | Network access |
| CVE-2026-47866 | High | ~8.x | Authentication bypass (secondary path) | Network access |
| CVE-2026-47867 | High | ~8.x | Arbitrary code execution | Network + auth bypass chain |
| CVE-2026-47868 | High | ~8.x | Privilege escalation to root | Local or network |
| CVE-2026-47869 | High | ~8.x | RCE (authenticated attacker with network access) | Network, authenticated |
| CVE-2026-47870 | High | ~8.x | Privilege escalation | Local |
| CVE-2026-47871 | High | ~8.x | Directory traversal | Network |
Note: Exact CVSS scores for CVE-2026-47866 through 47871 were not published in detail in the Broadcom advisory as reproduced by SecurityWeek and CybersecurityNews; only CVE-2026-47865’s score of 9.8 is confirmed from the advisory. High-severity band (~7.x–8.x) is stated; exact numbers will be available in the Broadcom advisory directly.
Attack chain concern: CVE-2026-47865 (unauthenticated control-plane access) can be chained with CVE-2026-47867 (RCE after auth) and CVE-2026-47868 (root privilege escalation) to achieve unauthenticated root RCE on the Avi controller. The directory traversal (CVE-2026-47871) may expose sensitive configuration and TLS certificates.
Why It Matters
- The Avi control plane manages all load-balancing rules, TLS certificates, health checks, and WAF policies for every application the balancer fronts. A control-plane compromise means an attacker can redirect traffic, disable WAF protections, intercept TLS, or take down all load-balanced services simultaneously.
- VMware product flaws have a strong track record of rapid post-disclosure exploitation. VMware Aria Operations, ESXi, vCenter, and NSX vulnerabilities have repeatedly been weaponized by ransomware operators and nation-state groups within days of public advisory. This patch should be treated with ESXi-level urgency.
- The NATO researcher finding strongly suggests the bug has meaningful real-world attack surface — organizations running Avi in environments with sophisticated adversaries (government, finance, defense) should treat this as an immediate risk.
- Seven bugs in a single product means the attack surface is deep; defenders cannot rely on patching one CVE and calling it done.
Am I Affected?
You are at risk if you run:
- VMware Avi Load Balancer (formerly NSX Advanced Load Balancer / Avi Networks) in any version prior to the July 2026 patch release, in any environment (on-premises, VMware Cloud, hybrid cloud, multi-cloud)
- The Avi control plane is exposed to any untrusted network segment or to the internet
You are likely not at risk if:
- Your Avi controller is strictly air-gapped with no network paths from untrusted hosts
- You have already applied the July 14, 2026 Broadcom security patch
Check your Avi version by logging into the Avi UI → Administration → Controller → About. Compare against the fixed version listed in Broadcom Advisory ID 37926 at support.broadcom.com.
What to Do About It: Step-by-Step
Log into the Broadcom Support Portal at support.broadcom.com and locate Security Advisory ID 37926 for the exact patch version and download link.
Check your current Avi Controller version:
- In the Avi UI: Administration → Controller → About
- Or via CLI:
show versionon the controller
Take a snapshot / backup of the Avi controller configuration before patching:
- UI: Administration → Controller → Backup → Create Backup Now
- This is especially important because the patch addresses memory management and auth logic — a rollback point is critical.
Apply the patch:
- Follow Broadcom’s documented upgrade procedure for your deployment type (single-node vs. cluster)
- For clustered deployments: patch the leader controller first, then follower nodes
- Monitor the upgrade in UI: Administration → Controller → Software
Post-patch verification:
- Confirm the version shown in About matches the patched release
- Verify all virtual services are health-green in the Avi dashboard
- Confirm WAF policies, SSL profiles, and health monitors are intact
If immediate patching is not possible (temporary mitigations):
- Restrict access to the Avi Controller management IP to trusted management hosts only, using firewall ACLs or Security Groups
- Enable Avi’s built-in “Restrict management plane access” feature if available in your version
- Audit Avi controller access logs for anomalous authentication attempts
Audit credentials and API tokens issued by the Avi control plane — if exploitation cannot be ruled out, rotate all Avi service accounts, API keys, and cloud-provider credentials managed by Avi.
Quick-Win Checklist
- Identified all Avi Load Balancer controller instances in the environment
- Compared current version against the fixed version in Broadcom Advisory 37926
- Backed up Avi controller configuration before patching
- Applied July 2026 patch to all controllers (leader then followers in cluster)
- Confirmed all virtual services healthy post-patch
- Verified WAF policies and SSL certificates intact
- Firewalled Avi management interface to trusted hosts only (belt-and-suspenders)
- No unexplained admin accounts or API keys found in the Avi system