Broadcom Patches VMware Aria Operations RCE Vulnerabilities in VMSA-2026-0001
2 min. read 
Published on
Broadcom released VMSA-2026-0001 on February 24, 2026 addressing three VMware Aria Operations vulnerabilities. CVE-2026-22719 enables unauthenticated RCE during migrations with CVSS 8.1 score. Patches available immediately for Aria Operations 8.x and Cloud Foundation bundles.
VMware Aria Operations analytics platform powers Cloud Foundation, Telco Cloud deployments. CVE-2026-22719 command injection hits support-assisted migrations. Attackers execute arbitrary code without authentication during upgrade processes.
CVE-2026-22720 stored XSS flaw lets privileged users inject scripts via custom benchmarks. Administrative actions trigger via malicious content. CVE-2026-22721 privilege escalation grants vCenter users full Aria Operations admin access.
All vulnerabilities rated Important severity by Broadcom. No known exploits in wild reported at disclosure. Affected versions span multiple enterprise bundles requiring urgent verification.
Deutsche Telekom Security researcher Tobias Anders discovered CVE-2026-22719. ERNW researchers Sven Nobis and Lorin Lehawany reported remaining flaws. Credits published in official advisory.
Patching roadmap prioritizes migration-impacted environments first. Workaround exists solely for command injection via KB430349 configuration.
Vulnerability Details Table
| CVE ID | CVSS Score | Type | Requirements | Impact |
|---|---|---|---|---|
| CVE-2026-22719 | 8.1 | Command Injection | Unauthenticated, migration active | RCE |
| CVE-2026-22720 | 8.0 | Stored XSS | Privileged user | Admin actions |
| CVE-2026-22721 | 6.2 | Privilege Escalation | vCenter access | Admin rights |
Affected Products Matrix
| Product | Component | Versions | Fixed Version | Workaround |
|---|---|---|---|---|
| Cloud Foundation | Aria Operations | 9.x | 9.0.2.0 | KB430349 |
| Aria Operations | Standalone | 8.x | 8.18.6 | KB430349 |
| Cloud Foundation | Aria Operations | 5.x, 4.x | KB92148 | KB430349 |
| Telco Cloud Platform | Aria Operations | 5.x, 4.x | KB428241 | KB430349 |
| Telco Cloud Infrastructure | Aria Operations | 3.x, 2.x | KB428241 | KB430349 |
KB430349 disables vulnerable migration endpoints temporarily. Full patches restore functionality with hardened validation.
Patch Deployment Steps
- Verify Aria Operations version against matrix
- Download corresponding bundle from Broadcom portal
- Apply KB430349 immediately if patching delayed
- Test migrations post-upgrade
- Audit custom benchmark configurations
- Monitor vCenter user permissions
Enterprise telco deployments face highest exposure during planned upgrades. RCE chain potential exists across flaws. Broadcom recommends staging patches before migration windows.
No evidence of active exploitation campaigns detected. Rapid disclosure follows responsible researcher coordination.
FAQ
Aria Operations during support-assisted migrations via CVE-2026-22719.
8.1 command injection, 8.0 stored XSS, 6.2 privilege escalation.
Only CVE-2026-22719 via KB430349 endpoint disablement.
Tobias Anders (Deutsche Telekom), Sven Nobis, Lorin Lehawany (ERNW).
9.0.2.0 bundle addresses all three CVEs.
Full functionality restored with command validation hardening.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages