A high-severity vulnerability in VMware Aria Operations has been added to the Known Exploited Vulnerabilities Catalog, indicating evidence of exploitation in real-world attacks. The vulnerability, tracked as CVE-2026-22719, is a command injection flaw that can allow an unauthenticated attacker to execute arbitrary commands on affected systems and potentially achieve remote code execution (RCE).
The issue was disclosed in February 2026 and assigned a CVSS score of 8.1 (High). It affects VMware Aria Operations deployments used to monitor and manage hybrid cloud and virtualized infrastructure.
Vulnerability Details
CVE ID: CVE-2026-22719
Severity: High (CVSS 8.1)
Type: Command Injection → Potential Remote Code Execution
CWE: CWE-77 (Improper Neutralization of Special Elements used in a Command)
The vulnerability arises from insufficient validation of externally supplied input during certain system operations. If successfully exploited, a malicious actor can inject system commands that are executed by the underlying operating system.
Specifically, the vulnerability is exploitable during support-assisted product migration workflows, which are often used during system upgrades, migrations, or infrastructure transitions. During these operations, the platform executes migration scripts that can be manipulated by attackers to run arbitrary commands.
Because the flaw does not require authentication, attackers may be able to exploit exposed management interfaces without valid credentials.
Additional Related Vulnerabilities
The disclosure was part of a broader security advisory addressing three vulnerabilities in the Aria Operations platform:
| CVE | Type | Impact |
| CVE-2026-22719 | Command injection | Unauthenticated command execution leading to RCE |
| CVE-2026-22720 | Stored XSS | Malicious scripts embedded in custom benchmark definitions |
| CVE-2026-22721 | Privilege escalation | Users with certain vCenter privileges may gain admin access |
These issues affect environments running VMware Aria Operations 8.x and related cloud platforms, including VMware Cloud Foundation and VMware Telco Cloud environments.
Read the full Broadcom advisory here.
Exploitation Status
The vulnerability has been added to the CISA KEV catalog following reports of exploitation attempts in the wild.
However, technical exploitation details and proof-of-concept code have not yet been publicly disclosed, and the vendor has stated it cannot independently confirm the reported exploitation activity.
Historically, VMware infrastructure products have been frequent targets of threat actors, including ransomware operators and state-sponsored groups, due to their central role in managing virtualized environments.
Potential Impact
Successful exploitation could allow attackers to:
- Execute arbitrary commands on the Aria Operations appliance
- Gain remote code execution on management infrastructure
- Access sensitive monitoring and configuration data
- Pivot to connected systems such as vCenter or cloud management components
- Escalate privileges within enterprise virtualization environments
Because Aria Operations serves as a centralized monitoring and orchestration layer for hybrid and multi-cloud infrastructure, compromise of the platform could expose critical operational systems and infrastructure telemetry.
Mitigation and Remediation
For organizations running VMware Aria Operations (or products that bundle it), OP Innovate strongly recommends:
Patch VMware Aria Operations to 8.18.6 (or the vendor-recommended fixed release for your branch) and apply the relevant fixed versions for bundled platforms (e.g., VCF Operations 9.0.2.0).
If you cannot patch immediately, apply the official workaround, available here.
Restrict Aria Operations management access to trusted admin networks/VPN only.
Implement firewall rules / network segmentation to limit inbound access to Aria Operations nodes and related management ports.
Stay Safe. Stay Secure
OP Innovate Research Team
