Another VMware Flaw Under Active Attack
CISA has added CVE-2026-22719, a high-severity command injection vulnerability in VMware Aria Operations (formerly vRealize Operations), to its Known Exploited Vulnerabilities (KEV) catalog after confirming the flaw is being actively exploited in the wild.
The vulnerability allows an unauthenticated attacker to execute arbitrary commands, potentially achieving full remote code execution on affected systems.
Vulnerability Details
| Detail | Value |
|---|---|
| CVE | CVE-2026-22719 |
| CVSS Score | 8.1 (High Severity) |
| Type | Command Injection |
| Attack Vector | Network — unauthenticated |
| Impact | Remote code execution |
| Condition | Exploitable during support-assisted product migration |
| Vendor | Broadcom (VMware) |
| Patch Released | February 24, 2026 |
| KEV Addition | March 4, 2026 |
| FCEB Patch Deadline | March 24, 2026 |
How the Vulnerability Works
The flaw exists in VMware Aria Operations and can be exploited by a malicious unauthenticated actor while support-assisted product migration is in progress. During this migration window, the vulnerability allows execution of arbitrary commands that can lead to full remote code execution on the underlying system.
While Broadcom released security patches on February 24, the gap between patch availability and active exploitation has left many organizations exposed.
Active Exploitation Confirmed
CISA confirmed the vulnerability is being actively exploited, though details remain limited:
- Threat actors behind the exploitation have not been publicly identified
- Scale of attacks is currently unknown
- Targeted sectors have not been disclosed
- The exploitation appears to target organizations mid-migration or with migration services still accessible
Remediation
Patching
Broadcom released security patches on February 24, 2026. Organizations should apply these immediately.
Temporary Workaround
For organizations unable to apply patches immediately, Broadcom has provided a temporary workaround — details are available in Broadcom's security advisory. However, the workaround should be treated as a stopgap, not a permanent solution.
Federal Mandate
Federal Civilian Executive Branch (FCEB) agencies are required to apply the fix by March 24, 2026, per CISA's KEV catalog requirements.
Impact Assessment
| Impact Area | Description |
|---|---|
| Affected environments | Any organization running VMware Aria Operations |
| Migration risk | Organizations mid-migration are especially vulnerable |
| Access achieved | Full RCE as an unauthenticated user |
| Enterprise exposure | Aria Operations is widely deployed for cloud infrastructure monitoring |
| Chained risk | RCE on a monitoring platform could provide visibility into entire virtualized environments |
Recommendations
For VMware Administrators
- Apply Broadcom's patches immediately — prioritize this over other maintenance tasks
- Audit migration service status — disable support-assisted migration endpoints if not actively in use
- Check for indicators of compromise on Aria Operations instances
- Restrict network access to Aria Operations management interfaces
For Security Teams
- Scan for CVE-2026-22719 across your environment using vulnerability management tools
- Monitor Aria Operations logs for unusual command execution or access patterns
- Verify patch deployment across all instances — shadow IT VMware deployments are common
- Implement network segmentation to isolate monitoring platforms from production workloads
Key Takeaways
- CVE-2026-22719 is the second VMware vulnerability added to CISA's KEV catalog in 2026
- Unauthenticated RCE on a monitoring platform is exceptionally dangerous — it provides attackers visibility into the entire infrastructure
- The migration-window attack surface is an unusual vector that organizations may not have accounted for in their threat models
- Patches have been available since February 24 — organizations that haven't applied them are now confirmed targets
- VMware/Broadcom products continue to be high-value targets for threat actors due to their prevalence in enterprise data centers