The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a VMware Aria Operations vulnerability tracked as CVE-2026-22719 to its Identified Exploited Vulnerabilities catalog, flagging the flaw as exploited in assaults.
Broadcom additionally warned that it’s conscious of stories indicating the vulnerability is exploited however says it can not independently verify the claims.
VMware Aria Operations is an enterprise monitoring platform that helps organizations observe the efficiency and well being of servers, networks, and cloud infrastructure.
The vulnerability was initially disclosed and patched on February 24, 2026, as a part of VMware’s VMSA-2026-0001 advisory, which was rated Essential with a CVSS rating of 8.1.
The flaw has now been added to the CISA’s Identified Exploited Vulnerabilities (KEV) catalog, with the US cyber company requiring federal civilian businesses to handle the difficulty by March 24, 2026.
In a latest replace to the advisory, Broadcom mentioned it’s conscious of stories indicating the vulnerability is exploited in assaults however can not verify the claims.
“Broadcom is conscious of stories of potential exploitation of CVE-2026-22719 within the wild, however we can not independently verify their validity,” states the up to date advisory.
Presently, no technical particulars about how the flaw could also be exploited have been publicly disclosed.
BleepingComputer contacted Broadcom with questions concerning the reported exercise, however has not obtained a response.
The command injection flaw
In accordance with Broadcom, CVE-2026-22719 is a command injection vulnerability that enables an unauthenticated attacker to execute arbitrary instructions on weak methods.
“A malicious unauthenticated actor could exploit this challenge to execute arbitrary instructions which can result in distant code execution in VMware Aria Operations whereas support-assisted product migration is in progress,” the advisory explains.
Broadcom launched safety patches on February 24 and in addition supplied a momentary workaround for organizations unable to use the patches instantly.
The mitigation is a shell script named “aria-ops-rce-workaround.sh,” which have to be executed as root on every Aria Operations equipment node.
The script disables parts of the migration course of that could possibly be abused throughout exploitation, together with eradicating the “/usr/lib/vmware-casa/migration/vmware-casa-migration-service.sh” and the next sudoers entry that enables vmware-casa-workflow.sh to run as root with no password:
NOPASSWD: /usr/lib/vmware-casa/bin/vmware-casa-workflow.shAdmins are suggested to use out there VMware Aria Operations safety patches or implement workarounds as quickly as attainable, particularly if the flaw is being actively exploited in assaults.
Malware is getting smarter. The Pink Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
