The US cyber security agency CISA has included a vulnerability in VMware Aria Operations - registered as CVE-2026-22719- in its catalogue of Known Exploited Vulnerabilities (KEV), which indicates that the problem is already being exploited in real attacks. This decision implies that U.S. federal civil agencies have an obligation to mitigate the failure by March 24, 2026, a time frame that underlines the seriousness of the case and the need to act quickly.
VMware Aria Operations is a monitoring platform designed for business environments: it helps control the performance and health of servers, networks and cloud resources. The ruling, which VMware and Broadcom published and parked on 24 February 2026 within the notice VMSA-2026-0001, was listed as "Important" with an approximate CVSS score of 8.1, which already pointed to a high risk if not corrected quickly.
According to the manufacturer, this is a command injection vulnerability that would allow an unauthenticated attacker to execute arbitrary orders in vulnerable systems; at worst, this could lead to remote code execution while a support-assisted migration process is under way. In other words, a vector related to migration utilities turns a legitimate functionality into a dangerous entry door if the corrections are not applied.
Broadcom, responsible for the support of Aria Operations, published patches on the same February 24 and also provided a temporary solution for those who cannot immediately deploy the update. The official patch and mitigation guide are available in the Broadcom safety notice; the interim solution is to run as root a script called aria-ops-rce-workaround.sh, which disables components of the migration process that could be exploited and removes an entry in sudoers that allowed a workflow script to run with high privileges without asking for password. Broadcom updated its notice, noting that they have received reports of exploitation in nature, but that they have not been able to independently validate these reports: detail of Broadcom.
It is important to note that, so far, no technical details have been published that explain exactly how vulnerability is being exploited in real attacks. This lack of public information complicates the detection of commitments, because the response teams do not have comprehensive and contrasting commitment indicators. Therefore, the general recommendation of manufacturers and CISA is to have priority in the application of the patch or, if not possible, to deploy temporary mitigation and to tighten controls around the affected instances.
For managers and security officials this means, in addition to patching as soon as possible, avoiding unnecessarily exposing management consoles and limiting access to Aria Operations nodes from unreliable networks. It is also appropriate to review records for unusual activity, to check the integrity of migration-related binaries and scripts, and to rotate administrative credentials if there is the least suspicion of commitment. Broadcom publishes the temporary measure and additional steps in its knowledge base Here..
The inclusion of CVE-2026-22719 in the KEV catalogue of CISA is a call for attention: when the agency acts in this way it is usually because there is evidence, direct or indirect, of active use in malicious campaigns and because the risk for critical infrastructure is considered significant. This is not the first recent case where vulnerabilities in virtualization and management products have become attractive vectors for attackers, so security teams should treat this warning with the highest operational priority.
If you manage Aria Operations, the essential thing is to check the version you run in front of the VMware correction list, apply the patches provided by the manufacturer and, in the meantime, implement any workaround approved by Broadcom. Keeping an eye on manufacturer updates and agency notices such as CISA will help to adjust the response if new technical details on operating techniques appear.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...