Critical TLS authentication bypass impacts VMware Tanzu

Threat summary

On February 27, 2026, Broadcom released updates addressing multiple vulnerabilities, including a dependency issue tracked as CVE-2025-68121 that affects several VMware Tanzu products.

The original vulnerability affects the Go programming language’s `crypto/tls` library and impacts any component that relies on this implementation. Tanzu products are affected because several embedded components, including Cert-Manager, internal controllers, and supporting utilities, are written in Go and depend directly on Go’s standard Transport Layer Security (TLS) stack.

When these components include a vulnerable Go version, the flaw propagates into the Tanzu packages that bundle them. The worst‑case scenario involves a loss of authentication integrity for TLS-protected communication, allowing continued trust of a peer that would not pass certificate validation under current policy. The flaw is rated critical with a maximum CVSS score of 10.0.

CVE-2025-68121 appears in the following product advisories:

VMware Tanzu RabbitMQ on Kubernetes

Advisory 37129 identifies CVE-2025-68121 as a critical vulnerability in the Cert-Manager component bundled with Tanzu RabbitMQ Carvel packages.

Affected versions include all package versions older than 4.2.4.1, 4.1.9.1, 4.0.18.1, and 3.13.13.1.

VMware Tanzu Greenplum Backup and Restore

Advisory 37128 indicates that CVE-2025-68121 affects Tanzu Greenplum Backup and Restore 1.32.4 as part of a dependency update that remediates seven vulnerabilities.

VMware Tanzu Greenplum Upgrade

Advisory 37127 lists CVE-2025-68121 as one of the critical vulnerabilities remediated in Tanzu Greenplum Upgrade 1.10.3.

VMware Tanzu Greenplum Database

Advisory 37125 includes CVE-2025-68121 as a critical vulnerability affecting Greenplum Database 7.7.1.

Broadcom recommends upgrading to the fixed Tanzu RabbitMQ Carvel package versions, and to the updated Tanzu Greenplum Backup and Restore, Greenplum Upgrade, and Greenplum Database releases listed in the advisories.

Analysis & recommendations

The vulnerability is remotely exploitable because TLS session resumption occurs during network communication, and the CVSS 10.0 rating reflects the potential for loss of authentication integrity if an attacker can influence TLS session state.

Reducing exposure involves confirming that no outdated Cert-Manager components remain deployed, validating certificate authority configuration across clusters, and ensuring that certificate rotation and revocation workflows operate as expected after updates. The affected Tanzu components rely on Go for TLS operations, and updating to a fixed Go release removes the authentication bypass condition introduced by the TLS session-resumption flaw.

The affected products run as workloads inside Kubernetes clusters and rely on embedded Go-based components, including Cert-Manager, for certificate issuance, rotation, and validation. Because TLS session resumption is common in cluster-internal communication, updating to fixed package versions ensures that certificate authority changes are consistently enforced across services.

Validating that no outdated Cert-Manager instances or legacy controller pods remain in any namespace reduces residual exposure, and confirming that certificate rotation and revocation workflows function as expected after updates helps maintain consistent trust boundaries across the cluster.

Prioritizing patch deployment across all managed Kubernetes clusters and verifying that automated pipelines no longer reference vulnerable package versions reduces residual risk.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up