Overview
VMware has disclosed CVE-2026-47870, a privilege escalation vulnerability in the Avi Load Balancer that allows authenticated network users to execute remote code on the affected system. This is distinct from the companion local-escalation bug (CVE-2026-47868) — this flaw is exploitable over the network.
The vulnerability carries a CVSS v3.1 base score of 7.1 (High) and was published to the NVD on July 18, 2026.
Affected Versions
| Version Branch | Affected Range | Fixed Version |
|---|---|---|
| 32.x | 32.1.1 | 32.1.2 |
| 31.x | 31.1.1 – 31.2.2 | 31.2.2-2p3 |
| 30.x | 30.1.1 – 30.2.6 | 30.2.7 |
| 22.x | 22.1.1 and later (branch) | See VMware advisory |
Technical Details
The vulnerability allows a malicious authenticated user with network access to escalate privileges and execute arbitrary remote code on the Avi Load Balancer appliance. The nature of the flaw suggests inadequate authorization checks on certain network-accessible operations or APIs.
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact: Moderate to High across CIA triad
The network-accessible attack vector makes this flaw particularly concerning for deployments where Avi Load Balancer management interfaces are reachable from untrusted network segments or shared environments.
Remediation
VMware has released patches to address this vulnerability:
- 32.x: Upgrade to 32.1.2 or later
- 31.x: Upgrade to 31.2.2-2p3 or later
- 30.x: Upgrade to 30.2.7 or later
Mitigation
If immediate patching is not possible:
- Restrict management interface access — place Avi Load Balancer management APIs behind a dedicated management network segment, inaccessible from general user networks
- Enforce strong authentication — require multi-factor authentication for all management accounts
- Audit authenticated users — review all accounts with access to Avi Load Balancer; remove stale or unnecessary credentials
- Enable network-level logging — capture all API activity to detect exploitation attempts
Context
This CVE is part of a cluster of three VMware Avi Load Balancer vulnerabilities disclosed simultaneously (CVE-2026-47868, CVE-2026-47870, CVE-2026-47871). Organizations running affected Avi versions should treat this as a coordinated patching event rather than addressing each individually.
References
- NVD Entry — CVE-2026-47870
- VMware Security Advisory (check Broadcom/VMware security portal for the official advisory)