Broadcom's VMware Aria Operations (formerly vRealize Operations) contains a command injection flaw that lets an unauthenticated attacker execute arbitrary commands during support-assisted product migration, with CISA confirming active exploitation in the wild.
What Is It
CVE-2026-22719 is a command injection vulnerability (CWE-77) in VMware Aria Operations, disclosed by Broadcom in VMSA-2026-0001. An unauthenticated, network-based attacker can inject arbitrary commands that may lead to remote code execution. The exposure window is specifically when a support-assisted product migration is in progress. NVD assigns a CVSS 3.1 base score of 8.1 (HIGH), vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, no privileges or user interaction required, but attack complexity is rated high.
Why It Matters
CISA added CVE-2026-22719 to the Known Exploited Vulnerabilities catalog on 2026-03-03, confirming exploitation in the wild. Aria Operations is the monitoring and analytics plane for VMware environments, so a successful RCE gives an attacker a foothold inside the management layer of virtualized infrastructure. Known ransomware campaign use is listed as Unknown. Federal civilian agencies were required to act by 2026-03-24 under BOD 22-01.
What's Vulnerable
Per NVD's affected configurations:
- VMware Aria Operations: 8.0 through versions prior to 8.18.6
- VMware Cloud Foundation: 4.0 through versions prior to 5.2.3, and 9.0 through versions prior to 9.0.2.0
- VMware Telco Cloud Infrastructure: 2.2 through 3.0
- VMware Telco Cloud Platform: 4.0 through 5.1
The vulnerable condition is triggered while a support-assisted product migration is running.
Patch Status
Broadcom has published fixed versions in the Response Matrix of VMSA-2026-0001. Apply the patches listed in the "Fixed Version" column, or use the workarounds documented in the "Workarounds" column of the same matrix. CISA's required action: apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.