The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw affecting Broadcom VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog as being actively exploited in the wild.
High severity vulnerability CVE-2026-22719 (CVSS score: 8.1) is described as a case of command injection that could allow an unauthenticated attacker to execute arbitrary commands.
“An unauthenticated malicious attacker could exploit this issue to execute arbitrary commands, potentially leading to remote code execution in VMware Aria Operations during a support-assisted product migration,” the company said in an advisory late last month.
This flaw was addressed along with CVE-2026-22720, a stored cross-site scripting vulnerability, and CVE-2026-22721, a privilege escalation vulnerability that could result in administrative access. The following products are affected:
VMware Cloud Foundation and VMware vSphere Foundation 9.xxx – Fixed in 9.0.2.0 VMware Aria Operations 8.x – Fixed in 8.18.6
Customers who cannot immediately apply the patch can download a shell script (‘aria-ops-rce-workaround.sh’) from each Aria Operations Virtual Appliance node and run it as root.
At this time, details are unclear about how this vulnerability is being exploited in the wild, who is behind it, and the scale of such efforts.
“Broadcom is aware of reports that CVE-2026-22719 could be exploited in the wild, but cannot independently confirm its validity,” the company said in an update.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies must apply the fix by March 24, 2026.
Source link
