Critical VMware Aria Operations Vulnerability Exploited in the Wild, Added to CISA KEV Catalog
A severe command injection vulnerability in VMware Aria Operations an IT operations management platform for data centers and cloud environments has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation emerged.
The flaw, tracked as CVE-2026-22719, allows unauthenticated attackers to execute arbitrary commands on affected systems, leading to remote code execution (RCE). Exploitation occurs during support-assisted product migrations, posing a high risk to organizations using the platform. Successful attacks could grant threat actors unauthorized system access, command execution, and potential full infrastructure compromise.
Broadcom, VMware’s parent company, released a security advisory detailing the issue, which stems from a CWE-77 (Command Injection) weakness. While the CVSS score remains unassigned, CISA’s inclusion of the vulnerability in the KEV catalog confirms its severity. The agency has not disclosed whether the flaw has been leveraged in ransomware attacks or identified specific threat actors behind the exploitation.
Under CISA’s Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate the vulnerability by March 24, 2026, either by applying patches or discontinuing use of the product if mitigations are unavailable. Private sector organizations are also urged to prioritize fixes, following Broadcom’s official guidance.
The vulnerability was initially reported to Broadcom, which released patches and workarounds. However, the confirmation of in-the-wild exploitation underscores the urgency for affected users to act. VMware Aria Operations, formerly known as vRealize Operations (vROps), is widely deployed for monitoring, management, and optimization of hybrid and multi-cloud environments.
Source: https://cybersecuritynews.com/vmware-aria-operations-vulnerability-2/
Broadcom TPRM report: https://www.rankiteo.com/company/vmware
Federal Civilian Executive Branch TPRM report: https://www.rankiteo.com/company/federal-university-of-technology-owerri
"id": "fedvmw1772605503",
"linkid": "federal-university-of-technology-owerri, vmware",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations using VMware Aria '
'Operations for monitoring, '
'management, and optimization of '
'hybrid and multi-cloud '
'environments',
'industry': 'Software/Cloud Services',
'name': 'Broadcom (VMware)',
'type': 'Technology Vendor'}],
'attack_vector': 'Remote',
'description': 'A severe command injection vulnerability in VMware Aria '
'Operations, an IT operations management platform for data '
'centers and cloud environments, has been added to CISA’s '
'Known Exploited Vulnerabilities (KEV) catalog after evidence '
'of active exploitation emerged. The flaw, tracked as '
'CVE-2026-22719, allows unauthenticated attackers to execute '
'arbitrary commands on affected systems, leading to remote '
'code execution (RCE). Exploitation occurs during '
'support-assisted product migrations, posing a high risk to '
'organizations using the platform. Successful attacks could '
'grant threat actors unauthorized system access, command '
'execution, and potential full infrastructure compromise.',
'impact': {'operational_impact': 'Unauthorized system access, command '
'execution, potential full infrastructure '
'compromise',
'systems_affected': 'VMware Aria Operations (vRealize Operations)'},
'investigation_status': 'Active exploitation confirmed; investigation ongoing',
'post_incident_analysis': {'corrective_actions': 'Apply patches or '
'workarounds provided by '
'Broadcom',
'root_causes': 'CWE-77 (Command Injection) '
'weakness in VMware Aria Operations '
'during support-assisted product '
'migrations'},
'recommendations': 'Affected organizations should prioritize applying patches '
'or discontinuing use of the product if mitigations are '
'unavailable. Private sector organizations are urged to '
'follow Broadcom’s official guidance.',
'references': [{'source': 'Broadcom Security Advisory'},
{'source': 'CISA KEV Catalog'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA Binding '
'Operational Directive '
'(BOD) 22-01 requires '
'Federal Civilian '
'Executive Branch '
'(FCEB) agencies to '
'remediate by March 24, '
'2026'},
'response': {'communication_strategy': 'Security advisory released by '
'Broadcom; CISA KEV catalog inclusion',
'containment_measures': 'Patches and workarounds provided by '
'Broadcom',
'remediation_measures': 'Apply patches or discontinue use of the '
'product if mitigations are unavailable '
'(per CISA BOD 22-01)'},
'stakeholder_advisories': 'CISA BOD 22-01 mandates remediation for FCEB '
'agencies by March 24, 2026. Private sector '
'organizations advised to prioritize fixes.',
'title': 'Critical VMware Aria Operations Vulnerability Exploited in the '
'Wild, Added to CISA KEV Catalog',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-22719 (CWE-77 - Command Injection)'}