Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a VMware Aria Operations vulnerability tracked as CVE-2026-22719 to its Known Exploited Vulnerabilities catalog, flagging the flaw as exploited in attacks. [...]
Analysis Summary
# Vulnerability: Unauthenticated Command Injection in VMware Aria Operations
## CVE Details
- **CVE ID:** CVE-2026-22719
- **CVSS Score:** 8.1 (Important)
- **CWE:** Command Injection
## Affected Systems
- **Products:** VMware Aria Operations (formerly vRealize Operations)
- **Versions:** All versions prior to the patches released on February 24, 2026.
- **Configurations:** Systems are vulnerable specifically while **support-assisted product migration** is in progress.
## Vulnerability Description
CVE-2026-22719 is a command injection vulnerability located within the migration components of VMware Aria Operations. The flaw resides in how the system handles the migration service scripts. Specifically, a malicious unauthenticated actor can inject arbitrary commands into the migration process, which are subsequently executed with elevated privileges. The vulnerability involves a sudoers entry that allows `vmware-casa-workflow.sh` to run as root without a password, providing a direct path to Remote Code Execution (RCE).
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA; reports acknowledged by Broadcom).
- **Complexity:** Low (Unauthenticated access).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Full system access/data exfiltration).
- **Integrity:** High (Ability to modify system files and configurations).
- **Availability:** High (Potential for system takeover or service disruption).
## Remediation
### Patches
- Organizations should update to the patched versions of VMware Aria Operations released on February 24, 2026, as specified in VMware advisory **VMSA-2026-0001**.
### Workarounds
A temporary shell script (`aria-ops-rce-workaround.sh`) is available for those unable to patch immediately. This script performs the following:
1. **Disables Migration Service:** Removes `/usr/lib/vmware-casa/migration/vmware-casa-migration-service.sh`.
2. **Removes Privileged Access:** Deletes the sudoers entry: `NOPASSWD: /usr/lib/vmware-casa/bin/vmware-casa-workflow.sh`.
3. **Note:** The script must be executed as **root** on every appliance node.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized execution of `vmware-casa-workflow.sh` or unexpected modifications to the `/usr/lib/vmware-casa/` directory.
- **Detection Methods:** Audit system logs for unauthenticated network requests targeting migration endpoints. Review CISA's KEV catalog updates for associated hashes or IP addresses as they become available.
## References
- **Vendor Advisory:** hxxps[://]support[.]broadcom[.]com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
- **Workaround Instructions:** hxxps[://]knowledge[.]broadcom[.]com/external/article/430349
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog