Security alert: CVE-2026-22719 could allow remote code execution in VMware Aria Operations and there are already signs of exploitation

The US cyber security agency CISA has included this week in its catalogue of Known Vulnerabilities Exploited (KEV) a serious failure affecting Broadcom / VMware products, in particular VMware Aria Operations. This is a vulnerability identified as CVE-2026-22719 with a CVSS score of 8.1, and according to CISA its inclusion in the catalogue is due to signs of active exploitation in real environments ( CISA alert).

In simple terms, the failure allows a command injection that could be used by an attacker without having to authenticate to execute arbitrary orders in Aria Operations, particularly during support-assisted migration processes. Such a vulnerability opens the door to remote code execution, something that in management and monitoring environments can result in administrative control and access to sensitive data from virtualized infrastructure.

Broadcom published a technical notice recognizing the existence of the problem and describing the affected versions as well as the available corrections. The products mentioned include instances of VMware Cloud Foundation and VMware vSphere Foundation 9.x, and VMware Aria Operations 8.x; solutions are already distributed in specific patches - for example, the 9.x and 8.x branches receive updates that correct these weaknesses. The official Broadcom release is available with the details and corrected versions on your support page ( Broadcom's notice).

Along with CVE-2026-22719 Broadcom, he solved two other related failures: CVE-2026-22720, which corresponds to a stored XSS, and CVE-2026-22721, which allows for the escalation of privileges and could end up in administrative access. The combination of command injection, XSS and privilege escalation in the same ecosystem significantly increases the operational risk, because a relatively simple initial vector can be chained to fully compromise a platform.

Entities that cannot apply the patches immediately have a temporary measure proposed by the supplier: Broadcom published a mitigation script ("aria-ops-rce-workaround.sh") that must be downloaded and run as root in each node of the Aria Operations virtual machine. This interim solution is designed to reduce the usable surface until the final correction is installed; the guide and the download link are available in the manufacturer's knowledge base ( Broadcom article).

For now there is no detailed public information on the specific techniques used by the attackers, or on the scale or origin of the campaigns that would be taking advantage of this vulnerability. Broadcom indicated that, although they have received reports of actual exploitation, they have not been able to independently verify the validity of all such notices. Even so, the fact that CISA has added the entry to the KEV catalogue implies that the risk signs have been considered serious enough to recommend urgent action by managers and security officials.

In terms of regulatory and compliance obligations, the inclusion in the CISA catalogue is time-bound: the U.S. civil federal agencies. The corrections should be applied by 24 March 2026. Such demands often anticipate practical recommendations for other organizations: to update as soon as possible, or to segregate and mitigate while patching..

If you manage instances of VMware Aria Operations or related platforms, the priorities are clear. First, review the official notices of the supplier and download the versions that correct the failures; second, if it is not possible to park immediately, implement the temporary mitigation offered by Broadcom by running the script in each node of the application; and in parallel, tighten network controls and monitoring to detect abnormal activity. It is also recommended to review and filter administrative access, analyse logs for commitment indicators and, if operating traces are detected, activate incident response processes.

In addition to following the supplier's instructions, it is useful to maintain close monitoring of information from official sources on the evolution of the case. The entry in the CISA catalogue of known vulnerabilities can be found on its KEV page ( CISA KEV catalogue), and the failure identifier offers a reference point for correlating reports and signatures in vulnerability management tools ( CVE registration). It is also advisable to visit the VMware web on Aria Operations to understand the functional context of the platform and assess the impact on operating flows ( VMware Aria Operations product page).

In short, although some technical details and the exact scale of attacks remain unclear, the recommendation is unequivocal: do not delay updates and apply temporary mitigation measures if the patch cannot be installed immediately. The combination of vulnerability with possible active exploitation, involvement of management components and the existence of auxiliary vectors requires a rapid and coordinated response by IT and safety equipment.