Security scanning tools (such as Tenable) may flag VMware Cloud Foundation (VCF) Orchestrator nodes as vulnerable due to an outdated version of OpenSSH.

The scanners specifically identify the presence of OpenSSH < 10.3 (Tenable ID: TEN-306743) and may list the following associated Common Vulnerabilities and Exposures (CVEs):

• CVE-2026-35414

• CVE-2026-35385

• CVE-2026-35386

• CVE-2026-35387

• CVE-2026-35388

VMware Cloud Foundation (VCF) Orchestrator 9.0.2

The version of OpenSSH shipped with the base Photon OS in VCF Orchestrator 9.0.2 is being flagged by security scanners during routine compliance and vulnerability checks.

VMware By Broadcom is aware of CVE-2026-35414, CVE-2026-35385, CVE-2026-35386, CVE-2026-35387, and CVE-2026-35388.
Please refer to the release notes for existing and forthcoming product releases for any updates in relation to this CVE.

Should you require further information please contact Broadcom Support.

 National Vulnerability Database (NVD):

• NVD Details for CVE-2026-35385