Avi Load Balancer Fixes Put The Control Plane First
Broadcom fixed seven Avi Load Balancer flaws, including a critical network authentication bypass. With no workaround, teams need exact version mapping and controlled controller upgrades.
Broadcom's July 14 security advisory fixes seven VMware Avi Load Balancer vulnerabilities. The most serious, CVE-2026-47865, can let an attacker with network access bypass authentication and reach the Avi control plane. Six related flaws cover authorization bypass, remote code execution, privilege escalation, and directory traversal. Broadcom assigns scores from 7.1 to 9.8 and provides no workaround for any of them.
The response is more precise than installing one package everywhere. Avi 32.1.1 is affected by six flaws but is not listed as affected by the critical authentication bypass; older 31.x, 30.x, and 22.x ranges are exposed to all seven. Fixed targets also differ, and a 22.1 deployment must cross to at least 30.2.7. Administrators should map controllers and management reachability, preserve useful audit evidence, follow the supported upgrade path, and validate the control plane and virtual services after the change.
Key Takeaways
- check_circle Treat CVE-2026-47865 as a management-plane exposure: network access is required, but an Avi account is not.
- check_circle Do not apply the CVE-2026-47865 label to 32.1.1; Broadcom's matrix lists that branch as affected by the other six flaws.
- check_circle Use 32.1.2, 31.2.2-2p3, or 30.2.7 as the applicable fixed floor, while Broadcom recommends 32.1.2 as the current release.
- check_circle Plan 22.1.x remediation as a major-version upgrade to at least 30.2.7, not as a small hotfix.
- check_circle Restrict controller access before maintenance and retain authentication, configuration, and administrative records needed for review.
- check_circle Prove controller health, cluster state, service-engine connectivity, configuration integrity, and application delivery after upgrading.
What Broadcom Disclosed
VMSA-2026-0005 covers CVE-2026-47865 through CVE-2026-47871. Broadcom calls the advisory critical and says the vulnerabilities were privately reported. CVE-2026-47865 is the only 9.8 issue: a malicious user with network access may bypass authentication and access the Avi control plane. The vendor lists no workaround, so reducing management reachability can lower exposure but does not replace the fixed software.
The remaining flaws matter because they create several paths after some level of access is obtained. CVE-2026-47866 permits access to a limited subset of the control plane without proper authorization. CVE-2026-47867 and CVE-2026-47869 can lead to remote code execution under different privilege assumptions. CVE-2026-47868 is a local path to root, CVE-2026-47870 is a network privilege-escalation path for an authenticated user, and CVE-2026-47871 permits directory traversal by an authenticated network user.
Broadcom's advisory does not report observed exploitation, indicators, a public exploit, or an affected-customer count. That is not confirmation that exploitation has never happened. It means the public case for action rests on the attack conditions, control-plane role, lack of workarounds, and available patches. Teams should keep exploitation status separate from technical severity in their records.
The Version Matrix Has An Important Exception
Avi Load Balancer 32.1.1 appears in the response matrix for CVE-2026-47866 through CVE-2026-47871 and is fixed in 32.1.2. The matrix does not list CVE-2026-47865 for that branch. An inventory scanner that applies all seven CVEs to every listed Avi release would therefore overstate the authentication-bypass exposure while still correctly identifying a six-flaw patch requirement.
Versions 31.1.1 through 31.2.2 are affected by all seven flaws and must reach 31.2.2-2p3 or a later supported release. Versions 30.1.1 through 30.2.6 must reach 30.2.7 or later. Versions 22.1.1 through 22.1.7 are also listed for all seven, but their fixed floor is 30.2.7. Broadcom additionally says 32.1.2 is the recommended and most recent version.
Build the change list from the controller's exact release, not from a generic VMware product name in an asset database. Record each controller node, cluster, deployment environment, management address, public and private reachability, owner, and target release. Include standby systems and disaster-recovery deployments that may be powered down during routine scans.
Why Control-Plane Access Changes The Risk
The advisory consistently names the Avi control plane. That is the management boundary where operators define virtual services, pools, health checks, certificates, policies, integrations, and other application-delivery behavior. Broadcom does not state what an attacker can see or change after exploiting CVE-2026-47865, so defenders should not turn possible administrative access into a claim that traffic, keys, or applications were compromised.
The safer operational conclusion is that a control-plane authentication bypass deserves the same care as other infrastructure-management failures. An attacker who reaches a trusted controller may gain visibility or influence that is more valuable than attacking one application endpoint. The investigation must therefore cover the controller and the systems that accept its configuration, credentials, telemetry, or automation calls.
Network access is a condition, not a synonym for internet exposure. A controller may be reachable only from a management VLAN, VPN, jump host, partner network, or cloud administration segment. Those boundaries still matter because compromised administrator workstations and reused access paths can make an internal interface reachable. Document the actual path instead of assuming that a private address makes the flaw irrelevant.
Upgrade Planning Is Part Of The Security Fix
A load balancer sits on a production availability path, so an emergency update needs both security urgency and change discipline. Retrieve the release package through the supported portal, confirm the release-specific requirements, preserve a current configuration backup, and identify rollback or recovery constraints before touching the cluster. Do not assume that the fixed version alone defines a supported path from every older build.
The 22.1.x boundary is the clearest warning. Broadcom requires those releases to move to at least 30.2.7. That is a major-version transition with a wider compatibility surface than a patch-level update. Check platform support, licensing, integrations, automation clients, certificate handling, custom scripts, cloud connectors, and service-engine compatibility against the applicable release documentation. If the direct path is unsupported, use the vendor-documented intermediate sequence.
Schedule the work so that node health and application delivery are observable throughout. Establish pre-change baselines for controller cluster state, virtual-service health, pool membership, service-engine status, alerts, API integrations, and configuration synchronization. A completed controller upgrade is not sufficient evidence if service engines are disconnected or health checks no longer represent the applications accurately.
Reduce Exposure And Preserve Evidence
Before the maintenance window, narrow controller access to named administration paths where operations permit it. Review firewall, security-group, reverse-proxy, VPN, and jump-host rules for forgotten sources. Remove direct public reachability if it is not explicitly required. These measures reduce the set of systems that can attempt the flaws, but the advisory's no-workaround status means affected software still needs an upgrade.
Retain the evidence needed to answer whether the control plane was accessed before the fix. Useful records can include successful and failed authentication, administrative sessions, API activity, account and role changes, configuration revisions, certificate operations, image uploads, cluster events, outbound connections, and upstream identity or jump-host logs. Preserve timestamps and export data before rotation or upgrade behavior changes it.
Look for activity that is unexpected for the environment rather than inventing CVE-specific indicators that Broadcom has not published. New administrators, unfamiliar API clients, unexplained configuration pushes, disabled logging, unexpected file access, or unusual controller-to-infrastructure connections justify incident-response review. If evidence suggests compromise, coordinate containment and credential rotation with preservation and recovery rather than treating patching as proof of cleanliness.
Validate The Full Delivery Path
After the upgrade, verify the reported version on every controller node and confirm the cluster is synchronized and stable. Check service engines, cloud connectors, licenses, time synchronization, certificates, logging, role mappings, and API clients. Compare critical configuration objects with the approved pre-change baseline and investigate unexplained differences before declaring the maintenance complete.
Test representative virtual services from the client side and the administration side. Confirm expected TLS behavior, routing, health monitoring, persistence, redirects, web application firewall policy where used, and failover. Watch application latency and error rates long enough to catch a service engine or pool that looks healthy in the control plane but fails real requests.
Close the security item only when asset inventory, fixed builds, management reachability, evidence review, and application tests agree. The public sources leave several questions open, including exploitation status and detailed post-bypass capabilities. Record those as unknowns. The confirmed facts already support prompt patching without adding speculative claims.
Checklist
- Inventory every Avi Controller, cluster node, standby deployment, management address, and reachable administration path.
- Map 32.1.1 to six CVEs and older affected ranges to all seven before creating vulnerability tickets.
- Choose the supported fixed target and plan 22.1.x as a major-version migration.
- Back up configuration and preserve approved controller, identity, jump-host, and network evidence.
- Restrict management access while preparing the upgrade; do not treat segmentation as the vendor fix.
- Verify every controller build, cluster synchronization, service engine, integration, and critical virtual service.
- Escalate unexplained pre-patch administrative activity through the incident-response process.
Sources
- Broadcom VMSA-2026-0005: VMware Avi Load Balancer vulnerabilities open_in_new
- Broadcom: Avi Load Balancer 32.1.2 release notes open_in_new
- Broadcom: Avi Load Balancer 31.2.2 release notes open_in_new
- Broadcom: Avi Load Balancer 30.2.7 release notes open_in_new
- NIST NVD: CVE-2026-47865 authentication bypass open_in_new
- NIST NVD: CVE-2026-47867 remote code execution open_in_new
- NIST NVD: CVE-2026-47871 directory traversal open_in_new
Continue Reading
Signal vs. WhatsApp: Privacy Beyond Message Encryption
Signal and WhatsApp both protect personal chats with end-to-end encryption. The larger privacy differences sit in metadata, discovery, backups, linked devices, and business services.
FortiSandbox Exploitation Makes The Analyzer An Incident Target
CISA says attackers are exploiting two unauthenticated FortiSandbox command-injection flaws. Patching needs exact deployment inventory, evidence preservation, and cluster-aware validation.
EY Support-Ticket Breach Puts Tax Attachments Under Review
EY says attackers downloaded client documents from a third-party support platform used for tax work. The disclosure makes ticket attachments, retention, and user protection immediate concerns.