Security Alert: VMware Aria Operations Command Injection Flaw Under Attack

CISA Adds VMware Aria Operations Flaw to Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a newly discovered security flaw affecting Broadcom VMware Aria Operations, adding the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after reports of active attacks.

The vulnerability, tracked as CVE-2026-22719, has a severity score of 8.1 on the CVSS scale, indicating a serious security risk. According to security researchers, the flaw involves a command injection vulnerability that could allow attackers to run malicious commands on affected systems.

Attackers Could Execute Remote Commands Without Authentication

The vulnerability is particularly dangerous because it does not require authentication. This means attackers could potentially exploit the flaw remotely without needing valid login credentials.

Security analysts warn that the issue may allow malicious actors to execute arbitrary commands during certain operational processes within VMware Aria Operations, particularly when support-assisted product migration is taking place.

If successfully exploited, the flaw could lead to remote code execution, giving attackers the ability to control the targeted system.

Additional Vulnerabilities Also Patched

Alongside the command injection flaw, Broadcom addressed two other security issues affecting the same platform:

  • CVE-2026-22720 – a stored cross-site scripting (XSS) vulnerability
  • CVE-2026-22721 – a privilege escalation flaw that could allow attackers to gain administrative access

These vulnerabilities could potentially be chained together by attackers to increase the impact of an attack.

Affected Products and Security Fixes

The vulnerabilities impact the following VMware products:

  • VMware Cloud Foundation and VMware vSphere Foundation 9.x
    • Fixed in version 9.0.2.0
  • VMware Aria Operations 8.x
    • Fixed in version 8.18.6

Organizations using these products are strongly advised to apply the latest security updates as soon as possible.

Temporary Workaround for Systems That Cannot Be Patched

For organizations that are unable to install the security updates immediately, Broadcom has released a temporary mitigation.

Administrators can run a security script named:

aria-ops-rce-workaround.sh

The script must be executed with root privileges on each Aria Operations virtual appliance node to reduce the risk of exploitation until the official patches are applied.

Details About the Attacks Remain Limited

Although the vulnerability has been added to CISA’s exploited vulnerabilities list, researchers have not yet revealed details about:

  • the attackers responsible
  • how the vulnerability is currently being exploited
  • how widespread the attacks may be

Broadcom has acknowledged reports suggesting exploitation may already be occurring but says it has not fully verified those claims.

Government Agencies Given Patch Deadline

Because the vulnerability is considered high risk, U.S. federal civilian agencies have been instructed to apply the available security fixes quickly.

Under federal cybersecurity requirements, affected government systems must be patched by March 24, 2026.

Why This Vulnerability Matters

VMware infrastructure is widely used in enterprise and government environments to manage virtual systems and cloud infrastructure.

A vulnerability that allows remote command execution in such platforms could provide attackers with a powerful foothold inside critical networks.

Security experts recommend that organizations using VMware Aria Operations review their systems immediately and apply the necessary updates to reduce the risk of compromise.