The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical vulnerability in VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, tracked as CVE-2026-22719, has been flagged as actively exploited in attacks, posing a significant risk to organizations using the platform. The vulnerability was originally disclosed and patched on February 24, 2026, but the recent addition to the KEV catalog emphasizes the ongoing threat. CISA is mandating that federal civilian agencies address this issue by March 24, 2026.
VMware Aria Operations, an enterprise monitoring platform, helps organizations track the performance and health of servers, networks, and cloud infrastructure. The command injection flaw, CVE-2026-22719, allows an unauthenticated attacker to execute arbitrary commands on vulnerable systems, potentially leading to remote code execution during support-assisted product migration. Broadcom, the company behind VMware, has acknowledged reports of potential exploitation but cannot independently confirm the claims.
To mitigate the risk, Broadcom released security patches and provided a temporary workaround for organizations unable to apply the patches immediately. The workaround is a shell script that must be executed as root on each Aria Operations appliance node, disabling components of the migration process that could be abused during exploitation. However, at this time, no technical details about how the flaw may be exploited have been publicly disclosed.
This issue highlights the importance of staying vigilant and proactive in cybersecurity. While the vulnerability has been addressed, the fact that it was actively exploited in attacks underscores the need for organizations to prioritize patching and updating their systems. As always, it's crucial to stay informed and take appropriate measures to protect against emerging threats.
