The U.S. cybersecurity agency CISA has added a VMware Aria Operations vulnerability (CVE-2026-22719) to its catalog of known exploited flaws, requiring federal agencies to patch it. Broadcom, VMware's parent company, acknowledges reports of active exploitation but cannot independently confirm them. The critical command injection flaw, patched in February 2026, allows unauthenticated attackers to execute arbitrary commands. Organizations are urged to apply the provided patches or a temporary script-based workaround immediately. The main topics covered are the critical vulnerability's active exploitation status, the mandated patching timeline, and the technical details of the flaw and its mitigation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a VMware Aria Operations vulnerability tracked as CVE-2026-22719 to its Known Exploited Vulnerabilities catalog, flagging the flaw as exploited in attacks.
Broadcom also warned that it is aware of reports indicating the vulnerability is exploited but says it cannot independently confirm the claims.
VMware Aria Operations is an enterprise monitoring platform that helps organizations track the performance and health of servers, networks, and cloud infrastructure.
The vulnerability was originally disclosed and patched on February 24, 2026, as part of VMware's VMSA-2026-0001 advisory, which was rated Important with a CVSS score of 8.1.
The flaw has now been added to the CISA's Known Exploited Vulnerabilities (KEV) catalog, with the US cyber agency requiring federal civilian agencies to address the issue by March 24, 2026.
In a recent update to the advisory, Broadcom said it is aware of reports indicating the vulnerability is exploited in attacks but cannot confirm the claims.
"Broadcom is aware of reports of potential exploitation of CVE-2026-22719 in the wild, but we cannot independently confirm their validity," states the updated advisory.
At this time, no technical details about how the flaw may be exploited have been publicly disclosed.
BleepingComputer contacted Broadcom with questions regarding the reported activity, but has not received a response.
The command injection flaw
According to Broadcom, CVE-2026-22719 is a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands on vulnerable systems.
"A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress," the advisory explains.
Broadcom released security patches on February 24 and also provided a temporary workaround for organizations unable to apply the patches immediately.
The mitigation is a shell script named "aria-ops-rce-workaround.sh," which must be executed as root on each Aria Operations appliance node.
The script disables components of the migration process that could be abused during exploitation, including removing the "/usr/lib/vmware-casa/migration/vmware-casa-migration-service.sh" and the following sudoers entry that allows vmware-casa-workflow.sh to run as root without a password:
NOPASSWD: /usr/lib/vmware-casa/bin/vmware-casa-workflow.sh
Admins are advised to apply available VMware Aria Operations security patches or implement workarounds as soon as possible, especially if the flaw is being actively exploited in attacks.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Meridiano
