What is CVE-2026-22719?

CVE-2026-22719 is a command injection vulnerability in VMware Aria Operations that allows unauthenticated attackers to execute arbitrary commands with root privileges during support-assisted migrations.

Which products are affected by these VMware vulnerabilities?

Affected products include VMware Aria Operations, VMware Cloud Foundation, VMware Telco Cloud Platform, VMware Telco Cloud Infrastructure, and VMware vSphere Foundation.

Is there a workaround for the actively exploited RCE flaw?

Yes, Broadcom provided a shell script named aria-ops-rce-workaround.sh that disables the vulnerable migration components and removes passwordless sudo entries.

What is the impact of a successful exploit?

Attackers can gain full control of the appliance, enabling them to steal data, deploy malware, or move laterally through the corporate network.

What is the CISA patching deadline for federal agencies?

CISA has mandated that Federal Civilian Executive Branch agencies apply the necessary patches by March 24, 2026.

Attack

CISA Reports Active Exploitation of VMware Aria Operations

published: March 5, 2026

Take action: If you are using VMware Aria Operations, this is urgent. Your systems are under attack, so patch ASAP. If you can't patch, run the official workaround script to disable the migration service and block the primary attack path.

Learn More

CISA warns of active exploitation of a vulnerability in Broadcom’s VMware Aria Operations. The primary flaw, tracked as CVE-2026-22719 (CVSS score 8.1), is reportedly being exploited in the wild to target virtualized infrastructure.

Vulnerabilities summary:

CVE-2026-22719 (CVSS score 8.1) - A command injection vulnerability (CWE-77) that occurs during support-assisted product migrations. Unauthenticated attackers can inject malicious commands into the migration service, leading to remote code execution with root privileges. The flaw exploits a logic error in how the system handles migration workflows, allowing attackers to bypass security boundaries without valid credentials.
CVE-2026-22720 (CVSS score 8.0) - A stored cross-site scripting (XSS) vulnerability that allows attackers with custom benchmark creation privileges to inject malicious scripts. These scripts execute when an administrator views the benchmark, potentially allowing the attacker to perform unauthorized administrative actions.
CVE-2026-22721 (CVSS score 6.2) - A privilege escalation vulnerability where a malicious actor with existing vCenter privileges can gain administrative access to Aria Operations. This allows an attacker to move from managing virtual machines to controlling the entire monitoring and optimization platform.

Successful exploitation of these flaws grants attackers full control over the Aria Operations appliance. Because these appliances often hold sensitive API keys and have broad network reach, they serve as ideal pivot points for lateral movement within a corporate network.

CISA mandated federal agencies to patch by March 24, 2026.

The vulnerabilities affect the following systems:

VMware Aria Operations (versions 8.x)
VMware Cloud Foundation (versions 4.x, 5.x, and 9.x)
VMware Telco Cloud Platform (versions 4.x and 5.x)
VMware Telco Cloud Infrastructure (versions 2.x and 3.x)
VMware vSphere Foundation

Broadcom released security patches in advisory VMSA-2026-0001.1 and recommends updating to version 9.0.2.0 or 8.18.6 immediately. For organizations unable to patch, a workaround script named "aria-ops-rce-workaround.sh" is available to disable the vulnerable migration components. This script removes the "vmware-casa-migration-service.sh" file and revokes the passwordless sudo entry for the workflow script to prevent exploitation.

CISA Reports Active Exploitation of VMware Aria Operations

Read More
7-Zip vulnerability that enables remote code execution actively …
Critical Langflow RCE Vulnerability CVE-2026-33017 Exploited Within Hours
Critical RCE Vulnerability Exploited in Legacy D-Link DSL …
Security researchers warn of actively exploited Ghostcript RCE …
Critical Citrix Netscaler "Citrix Bleed 2" flaw actively …