The Vulnerability
CVE-2026-22719 is a command injection vulnerability in VMware Aria Operations, Broadcom’s enterprise IT operations management platform used to monitor performance, capacity, and configuration across virtualised infrastructure including vSphere, NSX, and cloud environments.
The flaw has a CVSS score of 8.1 (High) and is exploitable when the product’s support-assisted migration functionality is in use. An unauthenticated attacker can execute arbitrary operating system commands on the Aria Operations appliance — a privileged management system that has visibility into the entire virtualised environment it monitors.
Broadcom patched CVE-2026-22719 as part of security advisory VMSA-2026-0001, released on 24 February 2026. CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue shortly after, with a federal agency patch deadline of 24 March 2026 — tomorrow.
Why Aria Operations Is a High-Value Target
VMware Aria Operations (formerly vRealize Operations) is designed to have deep integration into an organisation’s entire virtualised infrastructure. Its monitoring role requires privileged access to:
- vSphere and ESXi hypervisors — providing visibility into all virtual machines, host configurations, and network topology
- NSX network virtualisation — including firewall rule sets, microsegmentation policies, and virtual network configurations
- Cloud environments (AWS, Azure, Google Cloud) connected to hybrid VMware deployments
- Custom dashboards, alert thresholds, and automation workflows that may reveal operational security posture
An attacker who controls Aria Operations gains a comprehensive map of the virtualised environment and may be able to pivot laterally to the hypervisor layer or cloud infrastructure. Management plane compromise is qualitatively more severe than a single workload compromise.
Exploitation Activity
Broadcom acknowledged reports of active exploitation but stated it could not independently verify the full scope of attacks. Multiple threat intelligence sources have confirmed malicious activity targeting CVE-2026-22719 following initial disclosure, with attackers specifically targeting organisations that delayed applying the February patch.
The pattern is consistent with other Broadcom/VMware management infrastructure vulnerabilities: threat actors monitor patch advisories and immediately target the gap between disclosure and enterprise patching cycles — which for complex management infrastructure can run to weeks or months.
Affected Versions and Patching
CVE-2026-22719 affects VMware Aria Operations versions prior to those addressed in VMSA-2026-0001. Broadcom released patches on 24 February 2026 and also provided a temporary workaround for organisations unable to apply the patch immediately. Applying the workaround is acceptable for short-term risk reduction; the permanent fix should be applied as soon as operationally possible.
Recommended Actions
- Apply the VMSA-2026-0001 patch immediately — the federal deadline is tomorrow, and active exploitation confirms there is no safe delay window for this vulnerability
- If patching is delayed, apply Broadcom’s documented workaround and verify it is correctly implemented before the end of business today
- Audit Aria Operations access logs for unusual command execution, unexpected API calls, or authentication anomalies from the past 30 days — particularly around and after the February 24 advisory publication date
- Review cloud connector configurations: check whether Aria Operations cloud integrations (AWS, Azure, GCP) have service account credentials with more permissions than necessary; rotate those credentials as a precaution
- Verify network segmentation: the Aria Operations management interface should not be directly accessible from corporate user networks or the internet — confirm it sits in a dedicated management network segment with strict access controls
- Monitor for lateral movement indicators from the Aria Operations appliance IP range, particularly authentication attempts to vCenter, ESXi hosts, or cloud management consoles