Seven Security Flaws Fixed in VMware Avi Load Balancer, One Rated Critical
Broadcom has patched a critical flaw that lets attackers break into a core networking component without a password, plus six more serious bugs found by two outside researchers.

Key points
- Broadcom patched seven vulnerabilities in VMware Avi Load Balancer on Tuesday, including one rated critical.
- CVE-2025-47865, the most serious flaw, carries a critical severity rating and lets an attacker break in without any password over a network connection.
- Filip Waeytens of NATO's technology and cyber hub discovered four of the seven flaws; Lang Khuong Duy of Viettel IDC found two, and both researchers share credit for a seventh.
- No active attacks exploiting any of these vulnerabilities have been reported as of Broadcom's advisory.
- Organisations running VMware Avi Load Balancer should apply the latest updates immediately.
Broadcom, the company that owns VMware, shipped security updates on Tuesday for a product called VMware Avi Load Balancer. A load balancer is software that spreads internet traffic across multiple servers so no single machine gets overwhelmed. It sits at a critical chokepoint in many corporate networks, which makes it a valuable target.
Seven vulnerabilities, meaning software flaws that attackers can exploit, were fixed in one go. Two independent researchers found all of them.
The worst is CVE-2025-47865, rated critical. It is an authentication bypass, meaning an attacker can walk straight past the login screen without a password. Anyone with access to the network where the software runs could exploit it to break into the Avi control plane, the part of the system that manages all traffic routing decisions. Filip Waeytens, a researcher at NATO's technology and cyber hub, discovered it.
Waeytens also found three more flaws, all rated high severity. Tracked as CVE-2025-47866, CVE-2025-47867, and CVE-2025-47868, they allow attackers to bypass login controls again, run their own code on the system, or escalate privileges to root (meaning gain full administrator control over the machine).
Lang Khuong Duy of Vietnamese security firm Viettel IDC found two additional high-severity bugs. CVE-2025-47871 enables a directory traversal attack, where an intruder tricks the software into reading files outside the folders it should touch. CVE-2025-47870 allows privilege escalation.
Both researchers share credit for CVE-2025-47869, a high-severity remote code execution flaw. Remote code execution means an attacker can run any command they choose on a target machine from across a network. This one requires the attacker to be logged in first, which raises the bar slightly.
Should organisations be worried right now?
Broadcom's advisory lists no evidence that criminals are actively using any of these flaws in real attacks. That is good news, but it is not a reason to wait. Attackers routinely study freshly published patches, work out what was broken, and build exploit tools within days. VMware products have been targeted this way before, first reported by SecurityWeek among others.
If your employer runs VMware Avi Load Balancer, the IT or security team should be applying these patches now. For everyone else, the practical takeaway is simple: if a service you use goes down unexpectedly in the coming days and the provider mentions "maintenance", this kind of patching is often why.



