Cybersecurity & Privacy

CISA Adds VMware Aria Operations RCE Flaw to Exploited List

alex2404
By
alex2404
Byalex2404
Follow:
Disclosure: This website may contain affiliate links, which means I may earn a commission if you click on the link and make a purchase. I only recommend products or services that I personally use and believe will add value to my readers. Your support is appreciated!

The U.S. Cybersecurity and Infrastructure Security Agency has added a VMware Aria Operations vulnerability, tracked as CVE-2026-22719, to its Known Exploited Vulnerabilities catalog, confirming the flaw is being actively exploited in attacks. Federal civilian agencies have until March 24, 2026, to remediate the issue.

Contents

Broadcom, which owns VMware, acknowledged reports of exploitation but stopped short of confirming them. “Broadcom is aware of reports of potential exploitation of CVE-2026-22719 in the wild, but we cannot independently confirm their validity,” the company stated in an updated advisory.

What the Vulnerability Does

CVE-2026-22719 is a command injection flaw in VMware Aria Operations, an enterprise monitoring platform used to track the performance and health of servers, networks, and cloud infrastructure. The flaw carries a CVSS score of 8.1 and was rated Important by Broadcom.

An unauthenticated attacker can exploit the vulnerability to execute arbitrary commands on affected systems. According to Broadcom’s advisory, exploitation can lead to remote code execution specifically while a support-assisted product migration is in progress.

No technical details about the exploitation method have been made public, and the attack vector remains unclear.

Timeline and Patch Availability

Broadcom originally disclosed and patched the vulnerability on February 24, 2026, as part of security advisory VMSA-2026-0001. At the same time, the company released a temporary workaround for organizations unable to apply patches immediately.

More Read

CanisterWorm Hits 47 npm Packages in Trivy Supply Chain Attack
Perseus Android Malware Monitors Notes Apps for Financial Data
Oracle Emergency Patch Fixes Critical RCE Flaw CVE-2026-21992
PolyShell Flaw Enables Unauthenticated RCE on Magento Stores
INTERPOL Seizes 45,000 Malicious IPs in Global Cybercrime Sweep

The workaround is a shell script named “aria-ops-rce-workaround.sh” that must be executed as root on each Aria Operations appliance node. The script disables specific components of the migration process that could be abused during an attack, including:

  • Removing the file /usr/lib/vmware-casa/migration/vmware-casa-migration-service.sh
  • Stripping a sudoers entry that allows vmware-casa-workflow.sh to run as root without a password

The combination of removing that script and the passwordless root privilege entry effectively cuts off the attack surface the vulnerability exposes.

What Administrators Should Do

Organizations running VMware Aria Operations should apply Broadcom’s February 24 security patches without delay. Those unable to patch immediately should deploy the shell script workaround on every appliance node in their environment.

CISA’s addition of this flaw to the KEV catalog signals a credible threat, even if Broadcom has not independently verified the exploitation reports. The catalog is reserved for vulnerabilities where evidence of active exploitation exists, and its listings carry mandatory remediation deadlines for U.S. federal agencies.

The flaw fits a pattern of enterprise infrastructure vulnerabilities being targeted before widespread patching occurs. VMware products, given their prevalence in data centers worldwide, are a consistent focus for threat actors seeking broad access.

Photo by panumas nikhomkhai on Pexels

This article is a curated summary based on third-party sources. Source: Read the original article

TAGGED:
Share This Article
Previous Article Ancient Greek Cult May Have Used Fungus for Psychedelic Rituals
Next Article X Bans Creators 90 Days for Undisclosed AI War Videos
Archives