The U.S. Cybersecurity and Infrastructure Security Agency has added a newly disclosed VMware vulnerability to its Known Exploited Vulnerabilities catalog after reports indicated real world abuse.
The flaw, tracked as CVE-2026-22719, affects Broadcom VMware Aria Operations and carries a CVSS score of 8.1, classifying it as high severity.
Command Injection Risk Enables Remote Code Execution
According to the vendor advisory, the issue stems from a command injection weakness that could allow an unauthenticated attacker to execute arbitrary commands.
If exploited during support assisted product migration, the vulnerability may result in remote code execution within VMware Aria Operations environments. This means an external attacker could potentially run malicious commands without needing valid credentials.
Broadcom acknowledged reports of possible exploitation in the wild, although it stated that it could not independently verify the claims.
Additional Flaws Patched
The update that addressed CVE-2026-22719 also resolved two other vulnerabilities:
- CVE-2026-22720, a stored cross site scripting issue
- CVE-2026-22721, a privilege escalation flaw that could grant administrative level access
The vulnerabilities impact the following products:
- VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x, fixed in version 9.0.2.0
- VMware Aria Operations 8.x, fixed in version 8.18.6
Workaround Available for Unpatched Systems
For customers unable to immediately deploy patches, Broadcom has provided a temporary mitigation. Administrators can download and execute a shell script named aria-ops-rce-workaround.sh as root on each Aria Operations virtual appliance node.
However, applying the official security update remains the recommended long term remediation.
Federal Agencies Face March Deadline
Due to confirmed active exploitation, Federal Civilian Executive Branch agencies are required to apply the necessary fixes by March 24, 2026, in accordance with KEV catalog remediation timelines.
At present, there are no public details about the threat actors involved or the scale of exploitation efforts. Security teams are advised to prioritize patching, restrict administrative access, and monitor systems for unusual command execution activity.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
