2026-07-18 · view entry permalink →
CVE-2026-47865 — VMware Avi Load Balancer: unauthenticated control-plane authentication bypass (CVSS 9.8), no workaround
Broadcom's VMSA-2026-0005 (2026-07-14, last updated 2026-07-15) patches seven vulnerabilities in VMware Avi Load Balancer — the load-balancing/application-delivery product formerly sold as NSX Advanced Load Balancer and widely deployed in enterprise and government data-centre fabric across Europe. The load-bearing flaw, CVE-2026-47865 (CVSS 9.8), is an authentication bypass on the Avi Controller: "a malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism" — no credentials, no user interaction (Broadcom PSIRT, 2026-07-14). The advisory ships six companion flaws that require a prior foothold: two high-privilege remote code-execution bugs (CVE-2026-47867, CVE-2026-47869, both CVSS 8.7, PR:H), a low-privilege authenticated directory traversal (CVE-2026-47871, CVSS 8.8), an authorization bypass (CVE-2026-47866, CVSS 8.3), a local-to-root privilege escalation (CVE-2026-47868, CVSS 7.8) and a further privilege escalation (CVE-2026-47870, CVSS 7.1). Broadcom states no workarounds exist (Broadcom PSIRT, 2026-07-14); the German trade press summarised it as attackers being able to bypass authentication and authorization (heise Security, 2026-07-17).
No in-the-wild exploitation has been reported, but two facts raise this above the routine patch cycle: the reporter is the NATO NCSC (a direct constituency-provenance signal), and there is no mitigation short of upgrading. Because the Avi Controller is the management and orchestration plane for the load-balancing fabric, an unauthenticated bypass there is a direct path to reconfiguring traffic routing and TLS termination for every service behind the load balancer — an interception and traffic-manipulation position, not merely appliance compromise.
A malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism.