Another VMware vulnerability has been exploited in the wild, according to the Cybersecurity and Infrastructure Security Agency (CISA).
CVE-2026-22719 is a high severity (CVSS 8.1) command injection vulnerability present in VMware Aria Operations versions prior to 8.18.6. According to VMware owner Broadcom in an advisory, “A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.”
It was first disclosed and updated to 8.18.6. on Feb. 24 alongside two other flaws, Aria Operations cross-site scripting bug CVE-2026-22720 (CVSS 8.0) and privilege escalation vulnerability CVE-2026-22721 (CVSS 6.2).
On March 3, CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog alongside a recent Qualcomm bug. The same day, Broadcom updated its advisory with a line, “UPDATE: Broadcom is aware of reports of potential exploitation of CVE-2026-22719 in the wild, but we cannot independently confirm their validity.”
Dark Reading contacted Broadcom for additional comment; the company reiterated the above.
Though customers are urged to patch, a workaround also exists in the form of a script vulnerable customers can run in their environments. Vulnerable customers include those running Aria Operations version 8 up to and including 8.18.5, as well as Aria Operations version 9 up to and including 9.0.1.
Unique Risks Surrounding Cloud Management Platforms
Aria Operations is a unified IT management platform used for monitoring and managing a wide range of cloud environments. Although such tools are useful, they also act as a central point for a threat actor to access a swath of infrastructure due to the access these management products require.
Collin Hogue-Spears, senior director of solution management at Black Duck, tells Dark Reading that a compromise against Aria Operations through a flaw like CVE-2026-22719, a basic command injection flaw that can grant unauthenticated root access to an instance, also compromises the entire virtual infrastructure at once, including credentials, network topology, monitoring, and more.
“An attacker who takes Aria does not steal one server,” Hogue-Spears says. “They inherit the credentials and network topology for every system Aria manages. They see what your SOC sees. They control what your SOC trusts. The first thing a capable attacker does after compromising a monitoring platform: make that platform report that nothing happened. Your team watches clean dashboards while the attacker harvests vCenter service accounts, maps every ESXi host, and stages ransomware deployment across your entire virtual estate. This is not speculative. Scattered Spider, Qilin, and Lazarus Group all have documented campaigns targeting VMware management infrastructure precisely because of this outsized access.”
Another concern is that although exploitation can only occur during a migration window, the command injection requires no authentication and grants root access. It’s because of this that Hogue-Spears recommends patching to a fixed version (Aria Operations 8.18.6 or VCF 9.0.2.0) today, or deploying the workaround immediately if patching would take longer than 48 hours.
CVE-2026-22719 is the latest VMware flaw to come under attack. Last March, VMware disclosed three zero-day vulnerabilities, including CVE-2025-22224, a critical bug affecting VMware ESXi and Workstation. In September, reseachers found evidence that a critical privilege escalation flaw impacting Aria Operations and VMware Tools, tracked as CVE-2025-41244, had been exploited for nearly a year.
Source: www.darkreading.com…