CISA Flags Critical VMware Aria Operations Vulnerability Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant security flaw affecting Broadcom’s VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, highlighting active exploitation in the wild.
Identified as CVE-2026-22719 with a CVSS score of 8.1, this high-severity vulnerability involves command injection, potentially allowing unauthenticated attackers to execute arbitrary commands. Broadcom’s advisory notes that during support-assisted product migration, a malicious actor could exploit this flaw to achieve remote code execution in VMware Aria Operations.
In response, Broadcom has released patches addressing CVE-2026-22719, along with two other vulnerabilities:
– CVE-2026-22720: A stored cross-site scripting vulnerability.
– CVE-2026-22721: A privilege escalation vulnerability that could grant administrative access.
The affected products and their respective fixes are:
– VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x: Updated to version 9.0.2.0.
– VMware Aria Operations 8.x: Updated to version 8.18.6.
For customers unable to apply the patches immediately, Broadcom provides a workaround. Users can download and execute a shell script named aria-ops-rce-workaround.sh as the root user on each Aria Operations Virtual Appliance node.
Details regarding the exploitation methods, responsible parties, and the extent of the attacks remain undisclosed. Broadcom acknowledges reports of potential exploitation but has not independently confirmed their validity.
Given the active exploitation, CISA mandates that Federal Civilian Executive Branch (FCEB) agencies implement the necessary fixes by March 24, 2026, to safeguard their systems.
