News
CISA Confirms Active Exploitation of VMware Aria Operations Vulnerability
A high-severity VMware vulnerability is being exploited in the wild and federal agencies have less than three weeks to fix it.
A newly flagged flaw in VMware Aria Operations is giving attackers a direct path to remote code execution — no login required.
On March 4, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog. The move signals what security teams already suspected: someone is actively using this flaw against real targets.
What Happened?
CVE-2026-22719 is a command injection vulnerability in Broadcom's VMware Aria Operations, carrying a CVSS score of 8.1. It lets an unauthenticated attacker run arbitrary commands on the affected system — potentially leading to full remote code execution — while support-assisted product migration is in progress.
Broadcom originally disclosed and patched the flaw on February 24, 2026, as part of its VMSA-2026-0001 advisory. Alongside CVE-2026-22719, the company also patched two related issues: CVE-2026-22720, a stored cross-site scripting vulnerability, and CVE-2026-22721, a privilege escalation flaw that could hand attackers administrative access.
Broadcom released a temporary workaround — a shell script called "aria-ops-rce-workaround.sh" — for organizations that can't apply patches right away. It must be run as root on each Aria Operations appliance node and disables the migration components most likely to be abused during an attack.
Whether the vulnerability was exploited as a zero-day before the patch dropped, or only after, remains unclear. Broadcom says it is aware of reports of potential exploitation but has not independently confirmed them.
What's the Impact?
VMware Aria Operations is a widely deployed infrastructure monitoring platform. It stores credentials for connecting to monitored infrastructure, which means compromising it gives attackers a single pivot point into an organization's entire virtualization and cloud environment.
A successful exploit could give threat actors full control over the VMware Aria Operations appliance — opening the door to lateral movement across the network, data theft, or deployment of additional malicious payloads.
This isn't an isolated incident. CVE-2026-22719 follows a clear pattern: VMware infrastructure has been a top target for both nation-state actors and ransomware groups over the past several years, with multiple critical flaws across vCenter, ESXi, and Aria Operations exploited in quick succession.
CISA has mandated that all Federal Civilian Executive Branch agencies remediate the vulnerability by March 24, 2026, under Binding Operational Directive 22-01. While that order only covers federal agencies, CISA is urging every organization running VMware Aria Operations to treat this as a priority.
How to Avoid This
The fix is available; the main risk now is delay.
Apply Broadcom's security patches for VMware Aria Operations immediately. If patching isn't possible right now, run the provided workaround script on every appliance node before your window closes.
Organizations that cannot apply mitigations at all are advised to stop using the product entirely until a fix is in place. Network defenders should also monitor closely for unauthorized access or unusual activity around support-assisted migration features.
One often-overlooked gap: security teams frequently exclude infrastructure monitoring tools from endpoint detection coverage, creating a visibility blind spot that attackers count on. If Aria Operations isn't already in scope for your detection monitoring, now's a good time to change that.
