CISA has added a high-severity command injection vulnerability in VMware Aria Operations to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by March 24, 2026.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. The vulnerability, tracked as CVE-2026-22719 with a CVSS score of 8.1, represents a command injection flaw that could allow unauthenticated attackers to execute arbitrary commands and achieve remote code execution.
According to Broadcom VMware's advisory released late last month, the vulnerability specifically manifests "while support-assisted product migration is in progress." This timing aspect makes the flaw particularly dangerous as it exploits a specific operational state that may not be well-monitored by security teams.
The vulnerability is part of a trio of security issues addressed in the same patch release. Alongside CVE-2026-22719, VMware fixed CVE-2026-22720, a stored cross-site scripting vulnerability, and CVE-2026-22721, a privilege escalation flaw that could grant administrative access to attackers.
Affected products include VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x, which were fixed in version 9.0.2.0, and VMware Aria Operations 8.x, which received the patch in version 8.18.6. Organizations running these versions should prioritize updating to the fixed releases.
For organizations unable to immediately apply patches, VMware has provided a mitigation script called "aria-ops-rce-workaround.sh" that can be executed as root on each Aria Operations Virtual Appliance node. This temporary workaround can help reduce exposure while planning for full remediation.
Despite the KEV catalog listing and Broadcom's acknowledgment of "reports of potential exploitation," the company stated it "cannot independently confirm their validity." This uncertainty highlights the often murky nature of vulnerability intelligence, where public reports may outpace verified technical analysis.
The addition to CISA's KEV catalog carries significant weight, as it triggers mandatory patching requirements for Federal Civilian Executive Branch (FCEB) agencies. These agencies must apply the fixes by March 24, 2026, giving them approximately three weeks from the catalog addition to complete remediation.
This vulnerability underscores the ongoing risks in enterprise software environments, particularly in complex systems like VMware's cloud infrastructure portfolio. Command injection vulnerabilities remain a favored attack vector because they can provide attackers with extensive control over compromised systems.
Organizations using affected VMware products should immediately assess their exposure and implement either the official patches or the provided workaround script. Given the active exploitation reports and the critical nature of the vulnerability, delaying remediation could leave systems vulnerable to compromise.
For security teams, this incident serves as another reminder of the importance of maintaining current patch levels and having robust vulnerability management processes in place. The fact that CISA has elevated this to KEV status indicates the severity and likelihood of exploitation, making it a priority for any organization running the affected software.
Comments
Please log in or register to join the discussion