Top/Articles/Unauthenticated takeover flaw in VMware Avi Load Balancer: CVE-2026-47865 β€” patch to 32.1.2 now
vmware-avi-load-balancer-cve-cover-en

Unauthenticated takeover flaw in VMware Avi Load Balancer: CVE-2026-47865 β€” patch to 32.1.2 now

VMware's Avi Load Balancer, which many companies place in front of their servers, has a flaw (CVE-2026-47865, severity 9.8) that lets attackers take over its management console with no login. Seven flaws in total were disclosed, with fixes 32.1.2, 31.2.2-2p3 and 30.2.7 now available. There is no workaround. Here's how to check whether your version is affected and update.

NewsPublished July 18, 2026 Updated today
Table of contents
Key takeaways

VMware's Avi Load Balancer, which many companies place in front of their servers, has a flaw (CVE-2026-47865, severity 9.8) that lets attackers take over its management console with no login. Seven flaws in total were disclosed, with fixes 32.1.2, 31.2.2-2p3 and 30.2.7 now available. There is no workaround. Here's how to check whether your version is affected and update.

VMware's "Avi Load Balancer," which many companies place in front of their servers, has a serious flaw that lets an attacker take over its management console without logging in. Tracked as CVE-2026-47865, it carries a near-maximum severity score of 9.8. The vendor, Broadcom (the chip and software company that owns VMware), disclosed six more flaws the same day, shipping fixes for seven vulnerabilities in total.

A load balancer is the "traffic director" that spreads incoming requests across multiple servers. Because most user traffic passes through it first, taking it over puts every service sitting behind it at risk. On July 14, 2026, Broadcom published security advisory VMSA-2026-0005 and released fixed version 32.1.2 and others. There is no workaround (no config change that mitigates it) β€” updating is the only option. Here's what happened and whether it affects your organization.

Key points (3 lines)

  • Seven flaws hit VMware's Avi Load Balancer. The most severe, CVE-2026-47865 (severity 9.8), is an "authentication bypass" that reaches the management console with no login.
  • The batch also includes remote code execution flaws (such as CVE-2026-47867) and a flaw that leaks files (CVE-2026-47871). There is no workaround, only updating.
  • Fixed versions are 32.1.2, 31.2.2-2p3, and 30.2.7. Check whether your version is affected; updating to the latest 32.1.2 is recommended.

Why a load balancer flaw has such a wide blast radius

A load balancer evenly distributes the large volume of requests hitting a website or app across multiple servers. User traffic always passes through this device before reaching its destination server. In other words, the load balancer stands at the "front door" of the entire service. VMware's Avi Load Balancer (formerly NSX Advanced Load Balancer) is widely used in large systems, from on-premises data centers to the cloud.

The flaws sit in the brain that configures and manages this device β€” the management console, known as the control plane. It is meant to be locked behind a login so that only authorized administrators can operate it. But the most severe flaw, CVE-2026-47865, lets an attacker bypass that login mechanism entirely. Anyone who can reach the device over the network can get into the management console without knowing a valid ID or password, according to the vendor.

When the traffic director at the front door is hijacked, the traffic to the servers lined up behind it can be snooped on or redirected to fake servers. Flaws leaking internal information from VMware-related management tools have kept surfacing; we previously covered a VMware migration tool flaw that could leak vCenter admin credentials. As another case of the management core being targeted, this one should not be taken lightly either.

Who targets this, and why

The attackers who go after this flaw are those who scan far and wide for load balancers reachable from the internet or an internal network. Attackers targeting corporate systems first build a list of "devices reachable from outside" and check in bulk whether any known flaws remain unpatched. A load balancer β€” always running, with heavy traffic passing through it β€” makes an ideal target.

Using this flaw, attackers try to bypass the legitimate login, get into the management console, and take over the device itself. Once they control the management console, they can rewrite where traffic is routed, run malicious programs on the device, and read internal configuration files. The seven flaws include ones that let an attacker run programs remotely, and ones that read files that should never be visible.

It is not only the company operating the device that gets hurt. Ordinary users of the services running behind it may suffer indirect harm, such as having their traffic snooped on or being redirected to fake pages. A load balancer is an unseen, behind-the-scenes component, but when it is hijacked the impact reaches the entire service behind it. That is exactly why the version check and update described below should be done sooner rather than later.

Breakdown of the seven flaws

The following seven flaws were disclosed in Broadcom's advisory VMSA-2026-0005. The highest severity (CVSS, a 0–10 scale of seriousness) goes to CVE-2026-47865, which needs no login to exploit.

CVEWhat it isSeverityLogin
CVE-2026-47865Authentication bypass
(unauthorized access to console)
9.8 (Critical)Not needed
CVE-2026-47871Directory traversal
(reading files that should be hidden)
8.8 (Important)Conditional
CVE-2026-47867Remote code execution (RCE)8.7 (Important)Conditional
CVE-2026-47869Remote code execution (RCE)8.7 (Important)Login required
CVE-2026-47866Authorization bypass
(performing forbidden actions)
8.3 (Important)Conditional
CVE-2026-47868Privilege escalation
(gaining admin-level rights)
7.8 (Important)Conditional
CVE-2026-47870Privilege escalation7.1 (Important)Conditional

According to Broadcom, four of the flaws β€” CVE-2026-47865, 47866, 47867, and 47868 β€” were reported by Filip Waeytens of NATO's cyber security hub, and the other three β€” CVE-2026-47869, 47870, and 47871 β€” by Lang Khuong Duy of Viettel IDC in Vietnam. All were privately disclosed to the vendor. Below we look at the three highest-impact flaws individually.

CVE-2026-47865 (CVSS 9.8): take over the management console with no login

This is the central flaw. An actor who can reach the Avi Load Balancer's management console (the control plane) over the network can bypass the legitimate login and gain unauthorized access. Broadcom states that "a malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism." It is the only one of the seven that can be exploited without a login, and its 9.8 severity is the highest in the batch. This is the flaw to watch most closely as an entry point.

CVE-2026-47871 (CVSS 8.8): reading files that should be hidden

This is a directory traversal flaw. By slipping something like "go up one level" into the part that specifies a file's location, an attacker can reach files that should be off limits. If configuration files or authentication-related data are read, that can become a foothold for further attacks. At 8.8, it is the second-highest severity in this batch after the authentication bypass.

CVE-2026-47867 / 47869 (CVSS 8.7): running malicious programs on the device

Both are remote code execution (RCE) flaws that let an attacker run arbitrary programs on the load balancer. There are two β€” CVE-2026-47867 and CVE-2026-47869 β€” each rated 8.7. Being able to run programs means an attacker can build a foothold to operate the device behind the scenes. Combined with the authentication bypass (47865), an attacker could move from initial intrusion to full control of the device in one stretch, which is why these warrant attention.

Is your environment affected? (version quick-reference)

Whether you are affected depends on the Avi Load Balancer version you are running. Check the table below. Note that the most severe flaw, CVE-2026-47865 (authentication bypass), affects the 31.x, 30.x, and 22.x branches in the table, but not the newer 32.1.1 branch. However, 32.1.1 is still affected by the remaining six flaws, so an update is needed either way.

Your versionImpactUpdate to
32.1.16 of 7 apply
(excludes 47865)
32.1.2
31.1.1–31.2.2All 7 apply
(Critical)
31.2.2-2p3
(or 32.1.2)
30.1.1–30.2.6All 7 apply
(Critical)
30.2.7
(or 32.1.2)
22.1.1–22.1.7All 7 apply
(Critical)
30.2.7
(or 32.1.2)
32.1.2 or laterAlready fixedNo action

Broadcom says "32.1.2 is the recommended version, which is also the most recent version currently available." If you are staying on an older branch, you can still remediate by moving to the fixed release prepared for that line (31.2.2-2p3 or 30.2.7). Your version can be checked from the management console, and the update steps are documented in VMware's official documentation.

What to do now

First, confirm whether your organization uses Avi Load Balancer (including NSX Advanced Load Balancer), and if so, check the version. If it is older than 32.1.2, the affected flaws likely remain, so plan an update. Because Broadcom offers no workaround, updating is the only way to close these flaws. Moving to the latest 32.1.2 is the cleanest fix.

Since a load balancer sits at the front door of your services, updating requires planning around the impact on live systems. If you cannot update immediately, review whether the management console (control plane) is unnecessarily reachable from outside, and tighten network routes and source restrictions to reduce the attack surface. It also helps to check the access logs of the management console for any suspicious traces.

As of now, there are no reports of these seven flaws being exploited in the wild, no listing in the U.S. CISA "Known Exploited Vulnerabilities" catalog (KEV, the list of flaws confirmed to be under active attack), and no public proof-of-concept (PoC) exploit. That said, "front-door" devices like load balancers and VPNs are attractive targets, and there are past cases where attacks began after a fix was released and the method was reverse-engineered. You can watch for active exploitation on our tracker of vulnerabilities under active attack. Flaws that slip past load balancers and WAFs (devices that block malicious traffic) have appeared recently too β€” our article on a flaw that bypasses AWS defenses is a useful companion read.

FAQ

Q. Which version should I update to?

Updating to the latest 32.1.2 is recommended. If you stay on an older line, you can also remediate by moving to 31.2.2-2p3 for the 31.x line, or 30.2.7 for the 30.x and 22.x lines. There is no workaround, so a move to one of the fixed releases is required.

Q. Which one is the most dangerous?

CVE-2026-47865 (severity 9.8). It is the only one of the seven that can reach the management console without a login, making it the entry point to watch most closely. It affects the 31.x, 30.x, and 22.x branches; the newer 32.1.1 is not affected by this one, but it is still affected by the other six, so it needs updating too.

Q. I use NSX Advanced Load Balancer β€” does this apply?

Yes. NSX Advanced Load Balancer is the former name of today's Avi Load Balancer. It is the same product, so if your version falls within the affected range, you need to update.

Q. Is it already being exploited?

As of now, there are no reports of in-the-wild exploitation, no listing in the U.S. CISA "Known Exploited Vulnerabilities" catalog (KEV), and no public proof-of-concept (PoC). Still, front-door devices are attractive targets, so updating promptly is recommended.

Summary

VMware's Avi Load Balancer β€” placed by many companies at the front door of their services β€” has seven newly disclosed flaws. The most severe, CVE-2026-47865 (severity 9.8), is an authentication bypass that takes over the management console without a login; seizing the device puts the entire service behind it at risk. The batch also includes remote code execution and file-reading flaws, and there is no workaround β€” updating is the only fix.

The fixed versions are 32.1.2, 31.2.2-2p3, and 30.2.7, with the vendor recommending the latest 32.1.2. There are no reports of active exploitation or a public PoC as of now, but a load balancer is a "front-door" device that attackers favor. If you use it, confirm whether your version is affected and update promptly while accounting for the impact on live systems.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django