VMware Aria Operations RCE Flaw Added to CISA KEV Catalog
CISA confirms active exploitation of VMware Aria Operations CVE-2026-22719, a command injection flaw enabling unauthenticated RCE. Patch by March 24.
CISA has added a command injection vulnerability in VMware Aria Operations to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. Federal agencies must patch or mitigate CVE-2026-22719 by March 24, 2026.
The high-severity flaw (CVSS 8.1) allows unauthenticated attackers to execute arbitrary commands on vulnerable Aria Operations deployments during support-assisted product migration operations. Broadcom, which now owns VMware, acknowledged exploitation reports but stated they "cannot independently confirm their validity."
How the Attack Works
CVE-2026-22719 exploits Aria Operations' handling of product migration processes. An unauthenticated attacker can inject malicious commands into the migration workflow, and the system executes them without proper validation. Successful exploitation leads to remote code execution on the underlying virtual appliance.
The attack surface exists during "support-assisted product migration" - a process that organizations might assume carries lower risk because it's an administrative operation. But the vulnerability can be triggered remotely without credentials, making it exploitable whenever migration functions are accessible.
Affected Versions and Patches
Broadcom addressed CVE-2026-22719 alongside two related vulnerabilities:
| CVE | Type | Fixed Version |
|---|---|---|
| CVE-2026-22719 | Command Injection (RCE) | 8.18.6 / 9.0.2.0 |
| CVE-2026-22720 | Stored XSS | 8.18.6 / 9.0.2.0 |
| CVE-2026-22721 | Privilege Escalation | 8.18.6 / 9.0.2.0 |
Organizations running VMware Cloud Foundation or vSphere Foundation 9.x should update to version 9.0.2.0. Those on Aria Operations 8.x need version 8.18.6.
Workaround Available
For organizations unable to patch immediately, Broadcom provides a temporary workaround. Administrators can download and execute a shell script named "aria-ops-rce-workaround.sh" as root on each Aria Operations Virtual Appliance node.
This script blocks the vulnerable migration pathway without requiring a full software update, buying time for scheduled maintenance windows. However, it's a temporary measure - full patching remains the recommended remediation.
VMware's Troubled Security Record
Aria Operations (formerly vRealize Operations) manages monitoring and analytics across VMware environments. As infrastructure management tooling, it typically has broad visibility into virtualized workloads and configuration data - exactly the kind of privileged access attackers seek.
This follows a pattern of virtualization infrastructure being targeted for initial access. We've covered similar concerns with authentication bypass vulnerabilities in network appliances that threat actors exploit to establish footholds in enterprise environments.
The combination of privileged access and network reachability makes management platforms like Aria Operations attractive targets. Compromising these systems provides attackers visibility into the entire virtualized infrastructure and potentially credentials or configurations for broader access.
What to Do Now
Security teams managing VMware environments should prioritize this remediation:
- Inventory Aria Operations deployments - Identify all instances across production, development, and disaster recovery environments
- Apply patches or workaround - Deploy version 8.18.6 or 9.0.2.0, or immediately run the workaround script
- Restrict network access - Ensure Aria Operations interfaces aren't exposed to untrusted networks
- Monitor for exploitation - Review logs for anomalous activity related to migration processes
Federal agencies under BOD 22-01 face a March 24 deadline, but private sector organizations shouldn't wait. Active exploitation means threat actors are already scanning for vulnerable instances.
The Broader Context
VMware vulnerabilities routinely appear in CISA's KEV catalog because the platform's enterprise ubiquity makes it a high-value target. Attackers know that compromising virtualization infrastructure can provide access to dozens of workloads through a single exploitation.
Organizations dependent on VMware should implement defense-in-depth strategies that assume management interfaces may be compromised. Network segmentation, aggressive logging, and credential isolation help limit damage when - not if - the next VMware vulnerability emerges.
Related Articles
CISA Adds FileZen CVE-2026-25108 to KEV After Active Exploitation
CISA flags FileZen command injection flaw (CVE-2026-25108, CVSS 8.7) as actively exploited. Federal agencies must patch by March 17, 2026.
Feb 25, 2026Totolink Router Flaw Allows Unauthenticated RCE (CVE-2026-6140)
Critical CVSS 9.8 command injection vulnerability in Totolink A7100RU routers enables unauthenticated remote code execution. Public exploit available, no patch released.
Apr 13, 2026Marimo RCE Exploited 10 Hours After Disclosure—CISA Adds to KEV
CVE-2026-39987 in Marimo Python notebooks allows unauthenticated RCE via terminal WebSocket. Attackers weaponized it within hours. Patch to 0.23.0 now.
Apr 11, 2026CISA Orders Citrix NetScaler Patches by April 2 After KEV Addition
CVE-2026-3055 now actively exploited. CISA adds the CVSS 9.3 memory leak to KEV catalog, giving federal agencies until April 2 to patch SAML IdP configurations.
Mar 31, 2026