The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed VMware Aria Operations vulnerability, tracked as CVE‑2026‑22719 to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The flaw is a command injection vulnerability enabling unauthenticated remote code execution (RCE) under certain conditions. VMware (Broadcom) released patches on February 24, 2026, but reports indicate attackers are now leveraging the issue against unpatched systems. Federal civilian agencies have been mandated to remediate the vulnerability by March 24, 2026.

Vulnerability Details -

• CVE ID: CVE‑2026‑22719
• Severity: CVSS 8.1 (High)
• Type: Unauthenticated command injection leading to remote code execution
• Affected Product: VMware Aria Operations (formerly vRealize Operations)
• Conditions for Exploitation: Vulnerability is exploitable during support‑assisted product migration
• Impact: Allows attackers to execute arbitrary OS-level commands on affected systems.

Broadcom states the flaw can be triggered by a malicious unauthenticated actor, enabling execution of arbitrary commands that may lead to full platform compromise.

Current Exploitation Status -

• CISA confirms the vulnerability is being exploited in active attacks.
• Broadcom acknowledges reports of exploitation but notes it cannot independently verify them.
• No public technical details or exploit PoCs have been disclosed as of the latest updates.

Mitigation & Patching

Patches

• Security fixes were released on February 24, 2026, under advisory VMSA‑2026‑0001.

Temporary Workaround

For organizations unable to immediately update:

• Broadcom provides a mitigation script:
  aria-ops-rce-workaround.sh, to be run with root privileges on each appliance node.
• Script disables components in the migration workflow, including:
  • Removal of vmware-casa-migration-service.sh
  • Removal of sudoers entry allowing vmware-casa-workflow.sh to run as root without a password

CISA Requirements

• Federal civilian agencies must patch by March 24, 2026 in accordance with CISA KEV remediation mandates.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.