Broadcom released a security advisory addressing seven vulnerabilities in VMware Avi Load Balancer — the enterprise load balancing platform used in hybrid and multi-cloud environments — spanning critical and high severity ratings. The most severe finding, CVE-2026-47865, is a critical authentication bypass in the Avi control plane that allows unauthorized access to the administrative management layer without credentials. No active exploitation was confirmed at time of publication.
CVE-2026-47865 and the Six Additional VMware Avi Vulnerabilities
Broadcom’s advisory covers seven distinct vulnerabilities across the VMware Avi Load Balancer product, touching authentication, privilege escalation, code execution, and directory traversal vulnerability classes. The seven CVEs span a severity range from critical to high, with the critical finding in the control plane representing the highest attack priority given its unauthenticated access requirement and the administrative scope of the compromised layer.
CVE-2026-47865 is the critical authentication bypass. It targets the Avi control plane — the administrative management layer that orchestrates load balancing policy, SSL termination configuration, and traffic routing across all applications the Avi instance serves. An attacker who successfully exploits CVE-2026-47865 gains unauthorized access to the management plane without presenting valid credentials.
The six high-severity CVEs address a range of additional attack surfaces. CVE-2026-47866 is an additional authentication bypass. CVE-2026-47867 enables arbitrary code execution. CVE-2026-47868 allows privilege escalation to root access. CVE-2026-47869 enables remote code execution by authenticated attackers with network access. CVE-2026-47870 is a second privilege escalation path. CVE-2026-47871 is a directory traversal vulnerability.
Control Plane Authentication Bypass and Its Traffic Routing Implications
Load balancers occupy a high-trust position in enterprise network architecture: they handle all inbound and outbound application traffic, manage SSL certificate termination, and make forwarding decisions that route application requests across back-end server pools. The Avi control plane’s role is to manage these traffic policies across all applications the load balancer serves — SSL certificates, health check configurations, routing rules, access control lists, and traffic distribution weights.
An attacker with unauthorized access to the Avi control plane can modify traffic routing policies to redirect application traffic, alter SSL termination settings to intercept encrypted sessions, disable health checks to suppress alerting on degraded backend systems, or extract SSL private keys stored in the management plane. Because the control plane governs traffic decisions across every application the Avi instance serves, a single unauthenticated exploit of CVE-2026-47865 creates a single point of manipulation for the entire application delivery infrastructure the load balancer protects.
Privilege Escalation Chain from CVE-2026-47868 Through CVE-2026-47870
Beyond the control plane authentication bypass, the advisory’s two privilege escalation vulnerabilities — CVE-2026-47868 (root escalation) and CVE-2026-47870 — present a separate attack path for attackers who begin with limited access on the system. An attacker who gains an initial foothold through a lower-privilege account or through CVE-2026-47866 (additional authentication bypass) can potentially chain these escalations to reach root-level access on the underlying host.
CVE-2026-47867’s arbitrary code execution and CVE-2026-47869’s authenticated RCE extend the post-exploitation surface further, providing code execution paths once elevated access is achieved. The combination of authentication bypass, two privilege escalation CVEs, and two code execution CVEs in a single advisory reflects a product advisory where multiple independent attack paths converge on high-impact outcomes.
Patch Availability and Historical VMware Advisory Exploitation Patterns
Broadcom made patches available through its support portal at time of advisory publication. Broadcom’s advisory does not indicate active exploitation. However, VMware products have historically attracted rapid exploitation following security advisory publication — threat actors routinely monitor VMware advisories and develop exploit code for newly disclosed vulnerabilities within days of public disclosure.
VMware Avi Load Balancer is deployed in large enterprise environments for application delivery, SSL offloading, and multi-cloud traffic distribution, with integrations to VMware NSX, Kubernetes, and major cloud providers. The product’s position in enterprise traffic flows and its integrations with hybrid cloud infrastructure mean that organizations running Avi Load Balancer should treat the absence of confirmed exploitation at advisory time as a window that historically closes quickly following VMware disclosures, not as grounds for deferring patch installation. Broadcom’s advisory designates no specific CVEs as requiring priority over others, but CVE-2026-47865’s unauthenticated control plane access makes it the immediate patching priority.
