ctipilot.ch
← Back to the live brief
HIGHCVE-2026-47865 +6NATOA2vulnerability

CVE-2026-47865 — VMware Avi Load Balancer: unauthenticated control-plane authentication bypass (CVSS 9.8), no workaround

discovered 2026-07-18 04:35 UTCrun 2026-07-18T0409Z-intel2 sourcesmulti-source

Broadcom's VMSA-2026-0005 (2026-07-14, last updated 2026-07-15) patches seven vulnerabilities in VMware Avi Load Balancer — the load-balancing/application-delivery product formerly sold as NSX Advanced Load Balancer and widely deployed in enterprise and government data-centre fabric across Europe. The load-bearing flaw, CVE-2026-47865 (CVSS 9.8), is an authentication bypass on the Avi Controller: "a malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism" — no credentials, no user interaction (Broadcom PSIRT, 2026-07-14). The advisory ships six companion flaws that require a prior foothold: two high-privilege remote code-execution bugs (CVE-2026-47867, CVE-2026-47869, both CVSS 8.7, PR:H), a low-privilege authenticated directory traversal (CVE-2026-47871, CVSS 8.8), an authorization bypass (CVE-2026-47866, CVSS 8.3), a local-to-root privilege escalation (CVE-2026-47868, CVSS 7.8) and a further privilege escalation (CVE-2026-47870, CVSS 7.1). Broadcom states no workarounds exist (Broadcom PSIRT, 2026-07-14); the German trade press summarised it as attackers being able to bypass authentication and authorization (heise Security, 2026-07-17).

No in-the-wild exploitation has been reported, but two facts raise this above the routine patch cycle: the reporter is the NATO NCSC (a direct constituency-provenance signal), and there is no mitigation short of upgrading. Because the Avi Controller is the management and orchestration plane for the load-balancing fabric, an unauthenticated bypass there is a direct path to reconfiguring traffic routing and TLS termination for every service behind the load balancer — an interception and traffic-manipulation position, not merely appliance compromise.

A malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism.

Broadcom / VMware PSIRT (VMSA-2026-0005) 2026-07-14

ATT&CK mapping

2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1068Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.