top of page

Actively Exploited Command Injection in VMware Aria Operations (CVE-2026-22719)

March 13th, 2026

High

Our Cyber Threat Intelligence Unit is monitoring CVE-2026-22719, a high-severity command injection vulnerability in VMware Aria Operations, a widely used enterprise virtual infrastructure management platform. Broadcom publicly disclosed the vulnerability on February 24, 2026, and it was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on March 3, 2026. While CISA classifies the vulnerability as known exploited, Broadcom reports only unconfirmed accounts of potential exploitation. The vulnerability allows an unauthenticated remote actor to execute arbitrary operating system commands on vulnerable Aria Operations instances when support-assisted product migration is actively in progress. Broadcom has released patches and a workaround script. Federal Civilian Executive Branch (FCEB) agencies must apply vendor fixes by March 24, 2026.

Technical Details

  • CVE-ID: CVE-2026-22719

  • Severity: High

    • CVSS v3.1 Base Score: 8.1

  • Vulnerability Type: Command Injection

    • (CWE-77) Improper Neutralization of Special Elements Used in an OS Command

  • Authentication Required: None (Unauthenticated exploitation)

  • Attack Vector: Network

  • Affected Products:

    • VMware Aria Operations 8.0.x up to (excluding) 8.18.6: Fixed in 8.18.6

    • VMware Aria Operations 9.0.x up to (excluding) 9.0.2: Fixed in 9.0.2

    • VMware Cloud Foundation 4.0.x up to (excluding) 5.2.3: Fixed in 5.2.3

    • VMware Cloud Foundation 9.0.x up to (excluding) 9.0.2.0: Fixed in 9.0.2.0

    • VMware Telco Cloud Infrastructure 2.2 through 3.0: Refer to Broadcom KB428241

    • VMware Telco Cloud Platform 4.0 through 5.1: Refer to Broadcom KB428241

  • Vulnerability Description:

    • CVE-2026-22719 is a command injection vulnerability stemming from insufficient input validation in VMware Aria Operations.

    • If support-assisted product migration is actively in progress, an unauthenticated remote attacker can send specially crafted requests to the vulnerable component.

    • The application processes attacker-controlled input without proper sanitization, allowing arbitrary operating system commands to be executed with service-level privileges.

  • Attack Chain:

    • Attacker identifies an internet-exposed VMware Aria Operations instance with support-assisted migration actively in progress.

    • Specially crafted network requests are sent to the vulnerable service without requiring authentication.

    • The application processes attacker-controlled input and fails to properly sanitize OS command elements.

    • Arbitrary commands are executed on the underlying operating system with the privileges of the Aria Operations service.

    • An attacker may leverage this foothold for post-exploitation activities, including credential harvesting, lateral movement, and persistence.

Image by ThisisEngineering

Impact

Successful exploitation of CVE-2026-22719 may result in:

  • Remote Command Execution: Attackers can execute arbitrary operating system commands on the Aria Operations server without authentication.

  • Unauthorized System Access: Malicious actors gain access to the virtual environment's monitoring and management infrastructure.

  • Sensitive Data Exposure: Attackers may access system configuration files, stored credentials, and operational telemetry data.

  • Lateral Movement: A compromised Aria Operations server can serve as a pivot point to access other systems within the virtualized infrastructure.

  • Security Monitoring Blind Spots: Attackers may manipulate or disable monitoring alerts and analytics, reducing operational visibility into ongoing malicious activity.

  • Operational Disruption: Manipulation of monitoring services may impact infrastructure management, stability, and visibility across the virtual environment.

Given the central role VMware Aria Operations plays in enterprise virtual infrastructure management, successful exploitation poses a high-risk event with the potential for significant impact on operational continuity, data integrity, and security posture.

Detection Method

Security teams should implement the following monitoring and investigative measures to identify potential exploitation:

  • Monitor for unexpected or malformed network requests targeting VMware Aria Operations services, particularly during or shortly after migration activities.

  • Alert on abnormal command execution processes spawned from the Aria Operations service account or application context.

  • Review system logs for unauthorized or unusual administrative configuration changes within the Aria Operations platform.

  • Detect unexpected outbound network connections from the Aria Operations server to external or unfamiliar IP addresses.

  • Correlate platform alerts with SIEM telemetry for indicators of privilege escalation, new service creation, or unexpected system modifications originating from the Aria Operations host.

  • Enable and review audit logging for all administrative actions performed against the Aria Operations management interface.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Organizations should take the following defensive actions to reduce risk:

  • Patch immediately:

    • Update VMware Aria Operations to version 8.18.6, or VMware Cloud Foundation to version 9.0.2.0, as applicable.

  • Deploy the available workaround if immediate patching is not feasible:

    • Broadcom has published a shell script (aria-ops-rce-workaround.sh) that can be executed as root on all Aria Operations Virtual Appliance nodes as an interim mitigation (KB430349).

  • Restrict network access to Aria Operations management interfaces and APIs to trusted IP ranges only.

    • Avoid exposing these services to the public internet.

  • Temporarily suspend or closely monitor support-assisted migration activities until patches are applied.

  • Enforce multi-factor authentication (MFA) for all administrative accounts with access to the Aria Operations platform.

  • Implement network segmentation to isolate management infrastructure from production workloads, reducing potential lateral movement paths.

  • Conduct vulnerability scanning across the environment to identify any additional unpatched or unsupported Aria Operations deployments.

  • Monitor logs continuously for anomalous activity as described in the Detection Methods section above.

Conclusion

CVE-2026-22719 is a high-severity, unauthenticated command injection vulnerability affecting VMware Aria Operations and can be exploited without credentials under a defined migration condition. It demonstrates that even platform-specific operational windows, such as support-assisted migration, can introduce significant attack surface if left unmonitored and unpatched. Organizations should prioritize applying vendor patches, deploying available workarounds, and strengthening monitoring controls to detect and disrupt exploitation attempts within infrastructure management environments.

bottom of page