Broadcom shipped VMSA-2026-0005 on July 18, patching seven vulnerabilities in VMware Avi Load Balancer (formerly Avi Networks/Avi Vantage) that, chained together, take an attacker from unauthenticated network access to root on the control plane. The headline bug is CVE-2026-47865, a CVSS 9.8 authentication bypass discovered by Filip Waeytens of NATO’s technology and cyber hub.

What Happened

Avi Load Balancer separates its data plane (the Service Engines that actually pass traffic) from a control plane that handles configuration, analytics, and orchestration. The control plane is the crown jewel — compromise it and you can reconfigure or redirect traffic for everything behind the load balancer. VMSA-2026-0005 patches seven distinct issues in that control plane surface:

  • CVE-2026-47865 (CVSS 9.8) — Authentication bypass. A network attacker with no credentials can breach the Avi control plane outright. This is the critical one and the reason the advisory exists.
  • CVE-2026-47866 (CVSS 8.3) — A second, narrower authentication bypass that exposes a limited subset of control-plane functionality.
  • CVE-2026-47867 (CVSS 8.7) — Remote code execution: a network attacker can run code on the control plane.
  • CVE-2026-47869 (CVSS 8.7) — Code injection/execution requiring authentication.
  • CVE-2026-47871 (CVSS 8.8) — Directory traversal. Flawed file-path validation lets an authenticated network user step outside the web root and read files that should be off-limits. Discovered by Lang Khuong Duy of Viettel IDC.
  • CVE-2026-47868 (CVSS 7.8) — Local privilege escalation to root.
  • CVE-2026-47870 (CVSS 7.1) — A second, lower-severity privilege escalation path.

The practical chain is straightforward: CVE-2026-47865 gets an unauthenticated attacker onto the control plane with no credentials at all, CVE-2026-47867 or CVE-2026-47869 turns that foothold into arbitrary code execution, and CVE-2026-47868 escalates from whatever account that code runs as to root. Each step individually is bad; strung together they add up to full control-plane takeover from a cold start.

Impact

Anyone running Avi Load Balancer to front production traffic is affected — this includes VMware Cloud Foundation and NSX Advanced Load Balancer deployments that embed Avi as the L4-L7 load-balancing layer, not just standalone Avi installs. A control-plane compromise on a load balancer is worse than most single-host RCEs: it sits in the traffic path for every application behind it, holds TLS material and backend routing configuration, and typically has API access into whatever automation manages the environment (Terraform providers, Ansible modules, orchestration pipelines that reconfigure virtual services). An attacker who lands here can redirect, intercept, or drop traffic for every service the load balancer fronts, and pivot into the automation tooling that talks to it.

Broadcom’s advisory states no in-the-wild exploitation or public proof-of-concept exists as of disclosure. That won’t last — a 9.8 authentication bypass on internet-facing infrastructure is exactly the profile that gets reverse-engineered from the patch diff within days, and this class of bug (control-plane auth bypass chained to RCE) has a well-worn precedent in how quickly it gets weaponized once researchers or attackers diff the fix.

Affected Versions and Fix

  • 32.1.1 → fixed in 32.1.2
  • 31.1.1 through 31.2.2 → fixed in 31.2.2-2p3
  • 30.1.1 through 30.2.6 → fixed in 30.2.7
  • 22.1.1 through 22.1.7 → fixed in 30.2.7

Note the 22.1.x line jumps forward to the 30.2.7 branch rather than getting an in-branch patch — plan for that as a version migration, not a point update, if you’re still running 22.1.x.

Mitigation

  • Patch now, prioritizing any Avi controller reachable from outside a tightly restricted management network. The auth bypass requires only network access, not credentials.
  • Restrict control-plane access to a dedicated management network or VPN if you can’t patch immediately — the Avi controller’s management interface should never be exposed to the same network segment as the traffic it’s load-balancing, let alone the internet.
  • Rotate credentials and audit control-plane logs for any Avi controller that was internet-reachable prior to patching, given how straightforward the auth-bypass-to-RCE chain is once reverse-engineered.
  • Check VMware Cloud Foundation and NSX Advanced Load Balancer deployments for embedded Avi versions — the vulnerable component ships inside those products, not just standalone installs, so patch tracking needs to cover indirect exposure too.

References