The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a VMware Aria Operations vulnerability tracked as CVE-2026-22719 to its Identified Exploited Vulnerabilities catalog, flagging the flaw as exploited in assaults.
Broadcom additionally warned that it’s conscious of experiences indicating the vulnerability is exploited however says it can not independently affirm the claims.
VMware Aria Operations is an enterprise monitoring platform that helps organizations observe the efficiency and well being of servers, networks, and cloud infrastructure.
The vulnerability was initially disclosed and patched on February 24, 2026, as a part of VMware’s VMSA-2026-0001 advisory, which was rated Vital with a CVSS rating of 8.1.
The flaw has now been added to the CISA’s Identified Exploited Vulnerabilities (KEV) catalog, with the US cyber company requiring federal civilian companies to deal with the difficulty by March 24, 2026.
In a current replace to the advisory, Broadcom mentioned it’s conscious of experiences indicating the vulnerability is exploited in assaults however can not affirm the claims.
“Broadcom is conscious of experiences of potential exploitation of CVE-2026-22719 within the wild, however we can not independently affirm their validity,” states the up to date advisory.
Right now, no technical particulars about how the flaw could also be exploited have been publicly disclosed.
BleepingComputer contacted Broadcom with questions relating to the reported exercise, however has not acquired a response.
The command injection flaw
In response to Broadcom, CVE-2026-22719 is a command injection vulnerability that enables an unauthenticated attacker to execute arbitrary instructions on weak methods.
“A malicious unauthenticated actor might exploit this challenge to execute arbitrary instructions which can result in distant code execution in VMware Aria Operations whereas support-assisted product migration is in progress,” the advisory explains.
Broadcom launched safety patches on February 24 and likewise offered a short-term workaround for organizations unable to use the patches instantly.
The mitigation is a shell script named “aria-ops-rce-workaround.sh,” which should be executed as root on every Aria Operations equipment node.
The script disables parts of the migration course of that may very well be abused throughout exploitation, together with eradicating the “/usr/lib/vmware-casa/migration/vmware-casa-migration-service.sh” and the next sudoers entry that enables vmware-casa-workflow.sh to run as root with out a password:
NOPASSWD: /usr/lib/vmware-casa/bin/vmware-casa-workflow.sh
Admins are suggested to use accessible VMware Aria Operations safety patches or implement workarounds as quickly as potential, particularly if the flaw is being actively exploited in assaults.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
