The U.S. government has issued an urgent cybersecurity warning after adding a critical VMware vulnerability to its list of actively exploited threats.
The Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday confirmed that a high-severity security flaw affecting VMware Aria Operations is being exploited in the wild. The vulnerability, tracked as CVE-2026-22719, has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Command Injection Flaw Enables Remote Code Execution
CVE-2026-22719 carries a CVSS score of 8.1 and is classified as a command injection vulnerability. According to vendor advisories, the flaw allows an unauthenticated attacker to execute arbitrary commands on affected systems.
The issue specifically impacts VMware Aria Operations during support-assisted product migration. A successful exploit could potentially lead to remote code execution (RCE), giving attackers significant control over compromised environments.
Broadcom, which owns VMware, said a “malicious unauthenticated actor” could leverage the flaw to run arbitrary commands without needing valid credentials.
Additional Vulnerabilities Patched
The command injection issue was addressed alongside two other vulnerabilities:
- CVE-2026-22720 – A stored cross-site scripting (XSS) flaw
- CVE-2026-22721 – A privilege escalation vulnerability that could allow administrative access
Affected products include:
- VMware Cloud Foundation 9.x (fixed in version 9.0.2.0)
- VMware vSphere Foundation 9.x (fixed in version 9.0.2.0)
- VMware Aria Operations 8.x (fixed in version 8.18.6)
Customers unable to immediately apply patches are advised to deploy a temporary mitigation script (aria-ops-rce-workaround.sh) on each Aria Operations virtual appliance node with root privileges.
Federal Agencies Given Deadline
Due to confirmed active exploitation, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches no later than March 24, 2026.
While reports indicate real-world exploitation, Broadcom stated it cannot independently confirm the full scope or attribution of attacks at this time. No details have been released regarding threat actors, tactics, or the scale of compromise.
Enterprise Risk and Urgent Remediation
VMware Aria Operations is widely deployed in enterprise environments for monitoring, automation, and infrastructure management. A remote code execution vulnerability in such systems presents significant risk, especially in large-scale cloud and hybrid deployments.
Security experts warn that command injection flaws are frequently targeted by threat actors because they can allow complete system takeover if left unpatched.
Organizations using affected VMware products are strongly advised to:
- Apply vendor patches immediately
- Deploy temporary mitigation scripts if patching is delayed
- Monitor systems for unusual command execution activity
- Review logs for signs of compromise
With the vulnerability now formally listed in the KEV catalog, security teams should treat CVE-2026-22719 as a high-priority threat.
