CISA adds VMware Aria Operations flaw to KEV after active exploitation reports
4 min. read 
Published on
CISA has added CVE-2026-22719 to its Known Exploited Vulnerabilities catalog, putting VMware Aria Operations users on notice that the flaw is now considered actively exploited in the wild. The vulnerability affects VMware Aria Operations and related Broadcom products that bundle it, and Broadcom says an unauthenticated attacker may exploit it to execute arbitrary commands that could lead to remote code execution while support-assisted product migration is in progress.
This is a serious enterprise bug because Aria Operations often sits deep inside monitoring and management environments. If attackers gain code execution there, they may get a foothold in systems that already have broad visibility into infrastructure, cloud resources, and operations data. Broadcom rated the flaw Important with a CVSS 8.1, and CISA’s KEV entry says federal agencies must address it by March 24, 2026.
The sample article gets the main point right, but it overstates a few things. CISA has evidence of exploitation, but neither CISA nor Broadcom has publicly named the threat actors or described a ransomware link. Also, Broadcom’s advisory does not frame the issue as a general always-on unauthenticated RCE. It says exploitation happens during support-assisted product migration, which is an important condition defenders should not leave out.
What Broadcom says is vulnerable
Broadcom disclosed the issue on February 24, 2026 in VMSA-2026-0001, alongside two additional VMware Aria Operations flaws, CVE-2026-22720 and CVE-2026-22721. The advisory says the affected product set includes VMware Aria Operations, VMware Cloud Foundation, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure.
Broadcom’s workaround article says CVE-2026-22719 directly impacts Aria Operations 8.18.x and 9.0.x, specifically 8.18.5 and earlier plus 9.0.1 and earlier. The company says the issue is fixed in Aria Operations 8.18.6, Aria Operations 9.0.2, VCF 5.2.3, and VCF 9.0.2.
Vulnerability details at a glance
| Item | Details |
|---|---|
| CVE | CVE-2026-22719 |
| Product | VMware Aria Operations and bundled platforms |
| Bug type | Command injection |
| Severity | CVSS 8.1, Broadcom “Important” |
| Authentication required | No |
| Exploitation condition | Support-assisted product migration in progress |
| Fixed versions | Aria Operations 8.18.6 and 9.0.2; VCF 5.2.3 and 9.0.2 |
| KEV due date for FCEB agencies | March 24, 2026 |
Why the KEV addition matters
A KEV listing changes the urgency. CISA’s KEV catalog is the federal government’s running list of vulnerabilities known to be exploited in the wild, and agencies must act on those entries by the listed deadline. The NVD page for CVE-2026-22719 reflects the same KEV information and shows the required action as applying vendor mitigations, following BOD 22-01 guidance for cloud services, or discontinuing use if mitigations are unavailable.
Outside the federal government, the KEV listing still matters because it signals that patching this should be treated as incident response work, not routine backlog work. Organizations running exposed or internet-reachable Aria Operations environments should assume attackers may already be scanning for vulnerable systems. That is especially true for products that manage or observe large parts of enterprise infrastructure.
Patch guidance and workaround
Broadcom says the right long-term fix is to upgrade to the patched releases. For customers that cannot patch immediately, Broadcom also published a temporary workaround script named aria-ops-rce-workaround.sh. Its knowledge base article says admins should copy that script to the Aria Operations Virtual Appliance Primary node, make it executable, and run it as root.
There is one major limitation. Broadcom explicitly says that workaround is only for CVE-2026-22719. It does not mitigate CVE-2026-22720 or CVE-2026-22721, which were disclosed in the same advisory. To address those two flaws, Broadcom says customers must upgrade to the latest fixed version.
What organizations should do now
- Patch first if you can. Move to Aria Operations 8.18.6 or 9.0.2, or the corresponding fixed VCF release.
- Use the Broadcom workaround immediately if you cannot patch right away, but treat it as temporary.
- Review whether support-assisted migration is in use or exposed in your environment, since Broadcom ties exploitation to that state.
- Do not ignore the other two CVEs from the same advisory, because the workaround does not cover them.
- Prioritize this like an active compromise risk, not just a routine maintenance update, because CISA added it to KEV.
FAQ
It is a command injection vulnerability in VMware Aria Operations. Broadcom says an unauthenticated attacker may exploit it to run arbitrary commands, which can lead to remote code execution while support-assisted product migration is in progress.
CISA added it to the Known Exploited Vulnerabilities catalog, which means CISA has evidence of active exploitation. Broadcom’s original advisory did not confirm exploitation details, but the KEV addition is the clearest public sign that defenders should treat this as an active threat.
Broadcom says the issue is fixed in Aria Operations 8.18.6, Aria Operations 9.0.2, VCF 5.2.3, and VCF 9.0.2.
Only as a short-term step. Broadcom says the workaround only addresses CVE-2026-22719 and does not mitigate the other two vulnerabilities disclosed in the same advisory.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages