Pen and testing may detect potential vulnerabilities in Symantec VIP Enterprise Gateway (EG) 9.11.x. This article is a collection of reported vulnerabilities and recommended actions. 

Product: Symantec VIP Enterprise Gateway

CWE-548 - Directory Listing Vulnerability

• Status: The VIP EG is an internal application typically protected by the DMG and other safeguards. This is a low-priority vulnerability.
• Action: This will be addressed in VIP EGW 9.11.3. 

CVE-2025-15467, CVSS 9.8 - OpenSSL Version 3.0.8 and 3.6.0

• Status: The VIP EGW does not use the OpenSSL CMS module (<openssl/cms.h>) or the PKCS7_decrypt functions, and is not susceptible to this vulnerability. 
• Action:  OpenSLL will upgraded in VIP EGW 9.11.3 to prevent CVE detection. 

CVE-2023-38546 - Libcurl Cookie Injection Vulnerability

• Status: VIP EG 9.11.0 does not call the curl_easy_duphandle() function or enable the cookie engine, and is not vulnerable. The libraries were upgraded in 9.11.1 and later to mitigate pen detection. 
• Action: Upgrade to the latest version of the VIP Enterprise Gateway. 

CVE-2026-34480 - Apache Log4j Core Xml Layout Invalid XML Output

• Status: Applications using Log4j's XmlLayout for log output are affected. Enterprise Gateway does not use Log4j's XmlLayout and is not vulnerable. 
• Action: none required (Log4j libraries will be updated in VIP EGW 9.11.3 to mitigate detection).  

CVE-2025-68161 -  Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 do not perform peer certificate TLS hostname verification

• Status: The VIP EGW utilizes a custom UDP protocol Socket Appender for sending logs to the Syslog Server, with no TCP-based SSL/TLS encryption. There is no TCP-based SSL/TLS encryption. The VIP EGW is not vulnerable.
• Action: none required.

CVE-2026-34477 - Apache Log4j Core TLS Hostname Verification Bypass

• Status: This vulnerability is an incomplete fix for vulnerability (CVE-2025-68161). The VIP EGW utilizes a custom UDP protocol Socket Appender for sending logs to the Syslog Server. There is no TCP-based SSL/TLS encryption. The VIP EGW is not vulnerable.
• Action: none required. 

CVE-2026-34478 - Apache Log4j Core CRLF Log Injection

• Status: The VIP EGW does not use the Rfc5424Layout. The VIP EGW is not vulnerable.
• Action: To mitigate pen test detection, this will addressed in version 9.11.3. 

Broadcom recommends upgrading to the latest VIP EGW release to ensure continued compliance with security best practices.

If your 9.11.x penetration tests show vulnerabilities not listed here, open a Broadcom Support case for assistance.