VMware Aria Operations Flaw Added to CISA KEV Amid Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog after confirming that attackers are actively exploiting a command injection flaw in Broadcom's VMware Aria Operations platform.

The vulnerability, which carries a CVSS score of 8.1 (High), allows unauthenticated attackers to execute arbitrary commands on vulnerable systems, potentially leading to full remote code execution. Federal agencies are now required to apply patches by March 24, 2026.

What is CVE-2026-22719?

CVE-2026-22719 is a command injection vulnerability affecting VMware Aria Operations, the enterprise infrastructure monitoring platform formerly known as vRealize Operations. The flaw exists because of improper input validation and sanitization within the support-assisted migration workflow, where user-controlled input gets incorporated into system commands without adequate neutralization of special characters and command separators.

According to Broadcom's security advisory, a malicious unauthenticated actor may exploit this vulnerability to execute arbitrary commands during support-assisted product migration procedures.

Affected Products and Versions

The vulnerability affects multiple VMware products across several versions:

• VMware Aria Operations 8.x (fixed in 8.18.6)
• VMware Cloud Foundation 9.x.x.x (fixed in 9.0.2.0)
• VMware vSphere Foundation 9.x.x.x (fixed in 9.0.2.0)

Organizations running any of these products should immediately check their version numbers against the patched releases. This follows the pattern of critical flaws affecting infrastructure management platforms—similar to the Palo Alto GlobalProtect vulnerability disclosed earlier this year.

Two Additional Flaws Patched

Broadcom patched two additional vulnerabilities alongside CVE-2026-22719 in its February 24 advisory:

1. CVE-2026-22720: A stored cross-site scripting (XSS) vulnerability that could allow attackers to inject malicious scripts
2. CVE-2026-22721: A privilege escalation flaw enabling attackers to gain administrative access

While neither of these additional vulnerabilities has been flagged as actively exploited, organizations should apply patches that address all three issues simultaneously.

Active Exploitation Confirmed

CISA's addition of CVE-2026-22719 to the KEV catalog confirms that threat actors are weaponizing this vulnerability in real-world attacks. The agency has not disclosed specific details about the exploitation activity, including which threat actors are involved or the scale of the attacks.

This follows a concerning pattern where VMware vulnerabilities draw rapid exploitation once public disclosure occurs. Security teams should treat this as a critical patching priority regardless of whether their specific environment has been targeted.

Recommended Mitigations

1. Apply the patch immediately - Upgrade to VMware Aria Operations 8.18.6, VMware Cloud Foundation 9.0.2.0, or VMware vSphere Foundation 9.0.2.0
2. Deploy the workaround if patching is delayed - Broadcom has provided a shell script (aria-ops-rce-workaround.sh) that must be executed as root on each Virtual Appliance node
3. Monitor for suspicious activity - Review logs for unusual command execution patterns or unauthorized migration procedures
4. Restrict network access - Limit exposure of VMware Aria Operations management interfaces to trusted networks only

Federal Deadline and Compliance

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate CVE-2026-22719 by March 24, 2026. While this directive applies specifically to federal agencies, CISA strongly encourages all organizations to prioritize remediation.

The addition of this vulnerability to the KEV catalog alongside the Qualcomm Android zero-day CVE-2026-21385 signals an active week for CISA's vulnerability tracking efforts.

Why This Matters

VMware Aria Operations is widely deployed across enterprise environments for infrastructure monitoring and performance optimization. A successful exploit could give attackers a foothold into some of the most sensitive parts of an organization's virtualization infrastructure.

The fact that this vulnerability is being actively exploited before many organizations have patched reinforces the need for automated vulnerability management and rapid response capabilities. Security teams managing VMware environments should verify their patch status immediately and monitor CISA's KEV catalog for additional indicators of compromise as more details emerge about the ongoing exploitation activity.