Critical Vulnerabilities in VMware Avi Load Balancer Allow Authentication Bypass

Critical Vulnerabilities in VMware Avi Load Balancer Allow Authentication Bypass

First seen 17 Jul 2026, 12:49 UTC CybersecuritynewsHeise.Desupport.broadcom.com 74% similarity 72.6

Article Content

Browse articles
ThreatCluster

Broadcom has disclosed multiple vulnerabilities in VMware's Avi Load Balancer, including critical flaws that allow attackers to bypass authentication. The most severe vulnerability, CVE-2026-47865, has a CVSS score of 9.8 and enables unauthorized access to the Avi Controller interface. Other vulnerabilities include CVE-2026-47866, which allows unauthorized access to settings, and CVE-2026-47867, which permits remote code execution. These vulnerabilities affect various versions of the Avi Load Balancer, with patches available in versions 30.2.7 and above. Users are urged to upgrade from vulnerable versions 22.1.1 to 22.1.7. The vulnerabilities were reported by Filip Waeytens from NATO NCSC. Broadcom's advisory emphasizes the critical nature of these flaws, highlighting the potential for significant security breaches.

Key Points: • CVE-2026-47865 allows authentication bypass with a CVSS score of 9.8. • Multiple vulnerabilities affect VMware Avi Load Balancer, with several rated high risk. • Patches are available for affected versions; users are urged to upgrade immediately.

ThreatCluster AI

Timeline

2025-01-28
CVE-2025-22217 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-07-14
Initial security advisory published
Broadcom disclosed multiple vulnerabilities in VMware Avi Load Balancer, including critical flaws. Patches were made available for affected versions.
support.broadcom.com
2026-07-17
Critical vulnerability reported
CVE-2026-47865 allows attackers to bypass authentication on the Avi Controller interface, rated CVSS 9.8.
Heise.De
2026-07-17
Patch availability confirmed
Broadcom confirmed patches in VMware Avi Load Balancer versions 30.2.7 and above for the vulnerabilities.
Heise.De

Community

Browse all →