Full Report
Broadcom VMware security advisory (AV26-712)
Analysis Summary
# Vulnerability: Multiple Critical Flaws in VMware Avi Load Balancer
## CVE Details
*Note: This advisory covers seven distinct vulnerabilities.*
- **CVE ID:** CVE-2026-47865, CVE-2026-47866, CVE-2026-47867, CVE-2026-47868, CVE-2026-47869, CVE-2026-47870, CVE-2026-47871
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** Included weaknesses typically involve Authentication Bypass, Remote Code Execution (RCE), and Input Validation errors (refer to vendor advisory for specific mapping per CVE).
## Affected Systems
- **Products:** VMware Avi Load Balancer (formerly NSX Advanced Load Balancer)
- **Versions:** Multiple versions including legacy 22.x and 30.x branches.
- **Configurations:** Systems running the Controller and Service Engine components.
## Vulnerability Description
This suite of vulnerabilities addresses several critical flaws within the VMware Avi Load Balancer. The primary concern includes insecure management of authentication tokens and flaws in the administrative API. These weaknesses allow an attacker to bypass security constraints, potentially gaining unauthorized administrative access to the Load Balancer Controller.
## Exploitation
- **Status:** Not currently reported as exploited in the wild (based on initial disclosure date).
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full data access possible)
- **Integrity:** High (Configuration modification and system takeover)
- **Availability:** High (Potential for service disruption or total system shutdown)
## Remediation
### Patches
Broadcom has released the following updated versions to address these vulnerabilities. Administrators should upgrade to the latest maintenance release within their respective branch:
- **VMware Avi Load Balancer 30.2.[x]**
- **VMware Avi Load Balancer 22.1.[x]**
*(Refer to the Broadcom support portal for the specific localized build numbers).*
### Workarounds
- No specific functional workarounds have been provided that substitute for patching.
- **Temporary Mitigation:** Restrict access to the Avi Controller management interface to trusted internal networks only. Use VPNs or Jump Hosts to limit the exposure of the administrative API to the public internet.
## Detection
- **Indicators of Compromise:** Monitor system logs for unusual administrative login activity originating from unexpected IP addresses. Look for unauthorized configuration changes in the Avi Controller.
- **Detection methods and tools:** Utilize vulnerability scanners (e.g., Tenable, Qualys) updated with the latest plugins for VMSA-2026-0005. Audit API access logs for 4xx/5xx errors or unusual request patterns directed at authentication endpoints.
## References
- **Vendor advisory:** hxxps[://]support[.]broadcom[.]com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37926
- **Broadcom Security Portal:** hxxps[://]support[.]broadcom[.]com/web/ecx/security-advisory?segment=VA
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/broadcom-vmware-security-advisory-av26-712