ctipilot.ch

VMware Avi Load Balancer authorization bypass (CVSS 8.3), VMSA-2026-0005

cve · CVE-2026-47866

Coverage timeline
1
first 2026-07-18 → last 2026-07-18
Peak priority
high
1 high
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
6
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
VMware Avi Load BalancerVMware NSX Advanced Load Balancer

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-18/vmware-avi-load-balancer-cve-2026-47865-auth-bypass · ATT&CK page ↗

Privilege Escalation TA0004

T1068Exploitation for Privilege Escalation×1

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Evidence: 2026-07-18/vmware-avi-load-balancer-cve-2026-47865-auth-bypass · ATT&CK page ↗

Story timeline

  1. 2026-07-18CVE-2026-47865 — VMware Avi Load Balancer: unauthenticated control-plane authentication bypass (CVSS 9.8), no workaround
    trending-vulnerabilitiesBroadcom patches a pre-auth authentication bypass on the VMware Avi Load Balancer control plane (CVE-2026-47865), reported by NATO NCSC

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • heise.de1 (50%)
  • support.broadcom.com1 (50%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about VMware Avi Load Balancer authorization bypass (CVSS 8.3), VMSA-2026-0005 (1)

2026-07-18 · view entry permalink →

CVE-2026-47865 — VMware Avi Load Balancer: unauthenticated control-plane authentication bypass (CVSS 9.8), no workaround

Broadcom's VMSA-2026-0005 (2026-07-14, last updated 2026-07-15) patches seven vulnerabilities in VMware Avi Load Balancer — the load-balancing/application-delivery product formerly sold as NSX Advanced Load Balancer and widely deployed in enterprise and government data-centre fabric across Europe. The load-bearing flaw, CVE-2026-47865 (CVSS 9.8), is an authentication bypass on the Avi Controller: "a malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism" — no credentials, no user interaction (Broadcom PSIRT, 2026-07-14). The advisory ships six companion flaws that require a prior foothold: two high-privilege remote code-execution bugs (CVE-2026-47867, CVE-2026-47869, both CVSS 8.7, PR:H), a low-privilege authenticated directory traversal (CVE-2026-47871, CVSS 8.8), an authorization bypass (CVE-2026-47866, CVSS 8.3), a local-to-root privilege escalation (CVE-2026-47868, CVSS 7.8) and a further privilege escalation (CVE-2026-47870, CVSS 7.1). Broadcom states no workarounds exist (Broadcom PSIRT, 2026-07-14); the German trade press summarised it as attackers being able to bypass authentication and authorization (heise Security, 2026-07-17).

No in-the-wild exploitation has been reported, but two facts raise this above the routine patch cycle: the reporter is the NATO NCSC (a direct constituency-provenance signal), and there is no mitigation short of upgrading. Because the Avi Controller is the management and orchestration plane for the load-balancing fabric, an unauthenticated bypass there is a direct path to reconfiguring traffic routing and TLS termination for every service behind the load balancer — an interception and traffic-manipulation position, not merely appliance compromise.

A malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism.

Broadcom / VMware PSIRT (VMSA-2026-0005) 2026-07-14
vulnerability18 Jul 04:35Zmulti-sourceOpen finding ↗