The Cybersecurity and Infrastructure Security Agency (CISA) recently observed active security incidents involving a vulnerability in VMware software. Tracked as CVE-2026-22719, this high-severity (CVSS 8.1) command injection flaw affects VMware Aria Operations versions prior to 8.18.6. According to Broadcom's advisory, an unauthenticated party could leverage this issue to execute arbitrary commands, potentially leading to remote code execution while support-assisted product migration is in progress.
Broadcom initially disclosed the vulnerability and released version 8.18.6 on February 24, alongside two other findings: a cross-site scripting flaw (CVE-2026-22720, CVSS 8.0) and a privilege escalation vulnerability (CVE-2026-22721, CVSS 6.2).
On March 3, CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog. That same day, Broadcom updated its advisory to indicate the company is aware of reports regarding potential active usage of CVE-2026-22719, though they have not independently confirmed the validity of those reports.
To protect systems, Broadcom urges customers to apply the fixed updates. For organizations unable to patch immediately, Broadcom provides a workaround script to secure vulnerable environments. Affected versions include Aria Operations version 8 up through 8.18.5, and version 9 up through 9.0.1.
Safeguarding cloud management platforms
Aria Operations serves as a unified IT management platform for monitoring broad cloud environments. While centralized management provides operational efficiency, it also requires extensive permissions across the infrastructure. This concentration of access means that securing the platform is a primary defense priority.
Collin Hogue-Spears, senior director of solution management at Black Duck, notes that a compromise involving a command injection flaw like CVE-2026-22719—which can grant unauthenticated root access—poses a risk to the broader virtual infrastructure. This includes exposure of credentials, network topology, and monitoring data.
"[An unauthorized party] who takes Aria does not steal one server," Hogue-Spears stated. "They inherit the credentials and network topology for every system Aria manages. They see what your SOC sees. They control what your SOC trusts."
Hogue-Spears added that capable threat actors often manipulate monitoring platforms to hide their activity while they map ESXi hosts and stage further unauthorized deployments across the virtual estate. This pattern aligns with documented campaigns by groups such as Scattered Spider, Qilin, and Lazarus Group, which have previously targeted VMware management infrastructure due to its extensive access.
While this specific vulnerability only manifests during a migration window, the command injection requires no authentication and provides root access. Because of this structural risk, Hogue-Spears recommends applying the fixed updates (Aria Operations 8.18.6 or VCF 9.0.2.0) immediately, or deploying the workaround if patching will take longer than 48 hours.
This finding follows a pattern of recent security focus on VMware infrastructure. In March of the previous year, Broadcom disclosed a critical vulnerability affecting VMware ESXi and Workstation (CVE-2025-22224). Additionally, security researchers identified evidence in September that a privilege escalation flaw impacting Aria Operations and VMware Tools (CVE-2025-41244) had been utilized in unauthorized access campaigns for nearly a year.