CVE-2026-22719

What is VMware Aria Operations?

VMware Aria Operations (formerly vRealize Operations, vROps) is Broadcom's infrastructure monitoring and management platform for VMware environments. It provides unified visibility into vSphere, VMware Cloud, and hybrid cloud infrastructure — monitoring performance, capacity, configuration compliance, and cost optimization across virtualized environments. Aria Operations is deployed in large enterprise and government data centers as a centralized management layer. Compromising it gives an attacker visibility into the entire virtualized infrastructure, the ability to modify configurations, and potential access to credentials used for vSphere management.

Overview

CVE-2026-22719 is a command injection vulnerability (CWE-77) in VMware Aria Operations, exploitable during the product's support-assisted migration workflow. When a migration is in progress, an unauthenticated network attacker can inject arbitrary OS commands that execute as part of the migration process, potentially achieving remote code execution on the Aria Operations appliance. The High Complexity (AC:H) CVSS rating reflects that the vulnerability is only exploitable during the migration window — not continuously. Broadcom confirmed awareness of reports of potential exploitation, and CISA added it to the KEV catalog on 3 March 2026.

Affected Versions

A workaround is available for deployments that cannot immediately upgrade: Broadcom KB article 430349 documents interim mitigations for 8.18.x and 9.0.x deployments.

Technical Details

The vulnerability (CWE-77: Improper Neutralization of Special Elements Used in a Command) is in Aria Operations' support-assisted migration workflow. The migration process accepts user-supplied parameters and passes them to OS command invocations without adequate sanitization. By crafting malicious input containing shell metacharacters, an unauthenticated attacker with network access to the migration interface can inject arbitrary commands that execute in the context of the Aria Operations appliance — which typically runs with elevated privileges.

The High Complexity rating (AC:H) reflects the constraint that exploitation requires the migration workflow to be active. However, in environments where migrations are scheduled and the window is predictable (e.g., during maintenance windows announced to IT staff), an insider or an attacker with knowledge of the maintenance schedule can time attacks accordingly.

Three vulnerabilities were disclosed simultaneously in VMSA-2026-0001: CVE-2026-22719 (command injection, this CVE), CVE-2026-22720 (Stored XSS, CVSS 8.0, credited to Tobias Anders, Deutsche Telekom Security), and CVE-2026-22721 (Privilege Escalation, CVSS 6.2, credited to Sven Nobis and Lorin Lehawany, ERNW).

Discovery

Broadcom does not publicly name the reporter of CVE-2026-22719 specifically.

Exploitation Context

Broadcom stated it was aware of "reports of potential exploitation of CVE-2026-22719 in the wild" without independently confirming. CISA's addition to the KEV catalog on 3 March 2026 — one week after the advisory — indicates government-sourced evidence of real-world exploitation. No specific threat actor has been publicly attributed. Aria Operations deployments in large enterprise and government environments represent high-value targets: compromising the management plane can facilitate reconnaissance, configuration manipulation, credential harvest, and lateral movement across the entire virtualized infrastructure.

Remediation

1. Upgrade VMware Aria Operations to 8.18.6 or VMware Cloud Foundation Operations to 9.0.2.0 immediately.
2. If upgrade is not immediately possible, apply the interim workaround documented in Broadcom KB 430349.
3. Restrict network access to the Aria Operations management interface — use firewall rules to limit access to trusted administrative subnets only. The migration interface should never be internet-accessible.
4. Avoid initiating migration workflows until the patch is applied, as the vulnerability is only exploitable during the migration window.
5. Monitor Aria Operations appliance logs for unusual command execution, unexpected outbound connections, or authentication anomalies.
6. Review credentials stored within Aria Operations (vCenter, NSX, cloud provider credentials) and rotate any that may have been exposed.
7. Apply the co-disclosed fixes for CVE-2026-22720 (XSS) and CVE-2026-22721 (privilege escalation) as part of the same update — all three are addressed in Aria Operations 8.18.6.