Broadcom released updates that fix seven high‑severity flaws in the VMware Avi Load Balancer. The bugs allowed authentication bypass, remote code execution, privilege escalation and directory traversal attacks, posing serious risks to hybrid and multi‑cloud deployments.

Key Takeaways

  • Seven critical CVEs addressed in latest Avi Load Balancer patch
  • Vulnerabilities include authentication bypass, RCE, and privilege escalation
  • Immediate deployment of updates strongly recommended for all users

Broadcom announced on Tuesday that the newest VMware Avi Load Balancer updates remediate seven critical and high‑severity vulnerabilities. The software‑defined platform delivers load balancing, application security, and analytics across hybrid and multi‑cloud environments, making its security posture crucial for modern enterprises.

Discovery and Risk Profile

Filip Waeytens of NATO’s technology and cyber hub identified CVE‑2026‑47865, a critical authentication‑bypass flaw that enables an attacker with network access to compromise the Avi control plane. Waeytens also reported three high‑severity issues (CVE‑2026‑47866, CVE‑2026‑47867, CVE‑2026‑47868) that could allow authentication bypass, arbitrary code execution, and root‑level privilege escalation, respectively.

Lang Khuong Duy of Viettel IDC uncovered two additional high‑severity bugs: CVE‑2026‑47870 (privilege escalation) and CVE‑2026‑47871 (directory traversal). Both researchers were credited for responsibly disclosing CVE‑2026‑47869, a remote code execution vulnerability that requires an authenticated network attacker.

Impact and Recommendations

Broadcom’s advisory notes that none of the vulnerabilities have been observed in the wild, yet history shows VMware products are frequent targets for threat actors. Organizations are urged to apply the latest patches without delay, as delayed remediation can expose environments to zero‑day exploits and lateral movement within critical workloads.

Future Security Outlook

As cloud‑native applications grow in complexity, software‑defined infrastructure must adopt continuous security assessment and rapid patch cycles. Experts argue that proactive vulnerability discovery, coupled with collaborative disclosure through the CVE database, will strengthen industry‑wide cyber‑resilience and reduce the attack surface for sophisticated adversaries.