Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw impacting Broadcom VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild. The high-severity vulnerability, CVE-2026-22719 (CVSS score: 8.1), has been described as a case of command injection that could allow an
Analysis Summary
# Vulnerability: VMware Aria Operations Unauthenticated Command Injection
## CVE Details
- **CVE ID:** CVE-2026-22719
- **CVSS Score:** 8.1 (High)
- **CWE:** Command Injection (Specific CWE not provided, but described as arbitrary command execution)
## Affected Systems
- **Products:**
- VMware Aria Operations
- VMware Cloud Foundation
- VMware vSphere Foundation
- **Versions:**
- VMware Aria Operations 8.x
- VMware Cloud Foundation 9.x.x.x
- VMware vSphere Foundation 9.x.x.x
- **Configurations:** The flaw is specifically exploitable while **support-assisted product migration** is in progress.
## Vulnerability Description
CVE-2026-22719 is a high-severity command injection vulnerability. A malicious unauthenticated actor can exploit this flaw to execute arbitrary commands on the underlying operating system. This execution can lead to full Remote Code Execution (RCE) within the VMware Aria Operations environment.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV catalog on March 4, 2026).
- **Complexity:** Low (Implicitly, as it allows unauthenticated execution).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Potential for full data access via RCE).
- **Integrity:** High (Arbitrary command execution allows system modification).
- **Availability:** High (Attacker can disrupt services or delete data).
## Remediation
### Patches
Broadcom has released the following fixed versions:
- **VMware Aria Operations:** Update to version **8.18.6** or later.
- **VMware Cloud Foundation / vSphere Foundation:** Update to version **9.0.2.0** or later.
### Workarounds
For administrators unable to patch immediately, VMware provided a workaround script:
1. Download the shell script `aria-ops-rce-workaround.sh` from the Broadcom knowledge base.
2. Execute the script as **root** on each Aria Operations Virtual Appliance node.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized or suspicious shell commands originating from the VMware Aria Operations Virtual Appliance, particularly during migration windows.
- **Detection methods and tools:** Review system logs for unusual activity involving the support-assisted migration features. Federal agencies (FCEB) are mandated by CISA to remediate this by **March 24, 2026**.
## References
- **Broadcom Security Advisory:** hxxps://support[.]broadcom[.]com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
- **Broadcom Knowledge Base (Workaround):** hxxps://knowledge[.]broadcom[.]com/external/article/430349
- **CISA KEV Catalog:** hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Original Source:** hxxps://thehackernews[.]com/2026/03/cisa-adds-actively-exploited-vmware.html