The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Broadcom VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the security flaw is actively being exploited in the wild. This development underscores the ongoing threat posed by sophisticated cyberattacks targeting enterprise security infrastructure, making the patch for CVE-2026-22719 an urgent priority for organizations worldwide.
Broadcom VMware Aria Operations Vulnerability Actively Exploited
CISA’s inclusion of CVE-2026-22719 in its KEV catalog signifies a serious risk to systems running Broadcom VMware Aria Operations. The vulnerability, rated with a high severity score of 8.1 (CVSS), allows unauthenticated attackers to execute arbitrary commands on affected systems. This could potentially lead to remote code execution, a gateway for attackers to gain deeper access and control over sensitive data and operations within an organization.
Broadcom, in an advisory released last month, detailed the nature of the command injection flaw. The company indicated that exploitation could occur while support-assisted product migration is in progress, suggesting a specific window of opportunity for attackers. This highlight the need for diligent security practices and prompt patching, especially during transitional periods in IT environments.
Addressing Multiple Security Flaws
The command injection vulnerability, CVE-2026-22719, was addressed alongside two other significant security issues. These include CVE-2026-22720, a stored cross-site scripting vulnerability, and CVE-2026-22721, a privilege escalation vulnerability. The latter could allow an attacker with initial access to gain administrative privileges within the affected VMware products, greatly amplifying the impact of any successful breach.
These vulnerabilities impact several key Broadcom VMware products, including VMware Cloud Foundation and VMware vSphere Foundation versions 9.x.x.x, which are now fixed in version 9.0.2.0. Additionally, VMware Aria Operations versions 8.x have been patched in version 8.18.6. Organizations utilizing these platforms are urged to apply the latest updates as soon as possible to mitigate the risks associated with these newly cataloged threats.
For organizations unable to immediately apply the official patch, Broadcom has provided a temporary workaround. A shell script, named “aria-ops-rce-workaround.sh,” can be downloaded and executed as root on each Aria Operations Virtual Appliance node. While this script offers a layer of protection, it is not a substitute for the permanent fix and should be considered a stopgap measure.
Active Exploitation and Compliance Deadlines
Despite Broadcom’s acknowledgement of potential exploitation in the wild, specific details regarding the actors involved, the methods employed, and the scale of these attacks remain undisclosed. Broadcom stated that they are aware of reports but cannot independently verify their validity, a common occurrence in the fast-paced world of cybersecurity where initial exploitation often precedes detailed analysis.
In response to the active exploitation and the potential threat to national security, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies implement the necessary fixes by March 24, 2026. This deadline underscores the urgency and the perceived level of risk associated with CVE-2026-22719. Organizations outside of FCEB are strongly encouraged to follow suit and prioritize patching to protect their critical infrastructure from potential attacks.
The coming weeks will likely see further details emerge regarding the exploitation of CVE-2026-22719. Cybersecurity professionals will be closely monitoring threat intelligence reports for any new indicators of compromise or attribution. The next crucial step for affected organizations will be the full deployment of the patches or the implementation of the provided workarounds, ensuring their VMware environments are secure against this actively exploited vulnerability.