Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
VMware has released urgent security updates to address multiple critical vulnerabilities affecting VMware Aria Operations, including the actively exploited flaw CVE-2026-22719. First identified on February 24, 2026, this VMware vulnerability allows attackers to execute arbitrary operating system commands without authentication during support-assisted migration workflows in VMware Aria Operations, potentially granting them full control of affected appliances. The active exploitation of CVE-2026-22719 in the wild underscores the critical nature of this VMware security issue.
Alongside CVE-2026-22719, VMware also patched a stored cross-site scripting vulnerability designated as CVE-2026-22720 and a privilege escalation issue tracked as CVE-2026-22721, both of which could enable attackers with limited access to compromise administrative accounts within VMware Aria Operations environments. The vulnerabilities affect multiple versions of VMware Aria Operations including releases 8.x through 8.18.5 and 9.x through 9.0.1, as well as VMware Cloud Foundation versions 4.x, 5.x, and 9.x, VMware Telco Cloud Platform versions 4.x and 5.x, and VMware Telco Cloud Infrastructure versions 2.x and 3.x.
Organizations using affected VMware Aria Operations versions are strongly urged to apply the latest patches to version 8.18.6 or VMware Cloud Foundation Operations version 9.0.2.0 immediately to reduce the risk of system compromise. Broadcom, which now maintains VMware products, has also released a workaround shell script documented in KB430349 that specifically addresses the CVE-2026-22719 command injection vulnerability for organizations unable to immediately patch their systems.
VMware has released security updates addressing several critical vulnerabilities in its products, with the most severe being CVE-2026-22719. This VMware Aria Operations vulnerability stems from insufficient input validation within a component used during support-assisted product migration workflows. An attacker can exploit this VMware weakness to inject and execute arbitrary operating system commands on the underlying Aria Operations appliance without requiring authentication. The severity of CVE-2026-22719 is significantly underscored by confirmed reports of active exploitation in real-world attacks against VMware environments.
The CVE-2026-22719 vulnerability impacts multiple versions of VMware Aria Operations, including releases 8.x through 8.18.5 and 9.x through 9.0.1. The vulnerability also affects broader VMware environments where Aria Operations is deployed as part of VMware Cloud Foundation versions 4.x, 5.x, and 9.x, VMware Telco Cloud Platform versions 4.x and 5.x, and VMware Telco Cloud Infrastructure versions 2.x and 3.x. To mitigate the CVE-2026-22719 risk, Broadcom has released a workaround shell script documented in KB430349 that specifically addresses this command injection vulnerability for organizations unable to immediately apply patches.
Another vulnerability resolved in the same VMware security advisory is CVE-2026-22720, a stored cross-site scripting flaw affecting the custom benchmark creation feature in VMware Aria Operations. The CVE-2026-22720 vulnerability occurs because user-supplied input is not adequately sanitized before being stored and later rendered in the web management interface. A threat actor with sufficient privileges to create custom benchmarks in VMware Aria Operations can inject persistent JavaScript code through CVE-2026-22720, which will execute in the browser of any administrator who views the affected benchmark entry.
CVE-2026-22720 impacts the same VMware Aria Operations product versions as CVE-2026-22719 and has been fixed in VMware Aria Operations version 8.18.6 and VMware Cloud Foundation Operations version 9.0.2.0, providing comprehensive protection against this stored cross-site scripting attack vector.
The third vulnerability addressed in the VMware security advisory, CVE-2026-22721, allows attackers to escalate privileges within the VMware Aria Operations environment. An attacker who already possesses sufficient permissions in VMware vCenter to access Aria Operations can exploit CVE-2026-22721 to gain full administrative control over the platform. This VMware privilege escalation vulnerability is particularly concerning in enterprise environments that rely on privilege separation between vCenter and Aria Operations for defense-in-depth security strategies.
Broadcom has acknowledged reports suggesting that CVE-2026-22719 has already been exploited in the wild by threat actors targeting VMware Aria Operations deployments. VMware administrators are therefore strongly advised to apply the latest security updates for VMware Aria Operations or deploy the recommended workaround documented in KB430349 immediately to reduce exposure, particularly in environments where migration workflows are active. Prompt remediation of CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721 is critical to prevent potential remote compromise of affected VMware systems.
Upgrade VMware Aria Operations to version 8.18.6 or VMware Cloud Foundation Operations to version 9.0.2.0 without delay. These patched releases address all three disclosed vulnerabilities including CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721. Given that CVE-2026-22719 has been confirmed as actively exploited in the wild, patching should be treated as the highest priority remediation action for all affected VMware Aria Operations deployments.
If operational constraints prevent immediate patching of VMware Aria Operations, apply Broadcom’s workaround shell script (aria-ops-rce-workaround.sh) as documented in KB430349 to mitigate the command injection vulnerability CVE-2026-22719. Note that this workaround addresses only CVE-2026-22719 and does not protect against CVE-2026-22720 or CVE-2026-22721, so it should be considered a temporary measure until full patching of VMware Aria Operations is complete.
Limit network-level access to the VMware Aria Operations management interface to only authorized administrative hosts and networks. Apply firewall rules, network segmentation, and access control lists to prevent unauthorized network entities from reaching the management plane, thereby reducing the attack surface for all three vulnerabilities, particularly the unauthenticated command injection in CVE-2026-22719.
Review all existing custom benchmarks within VMware Aria Operations for any indicators of injected malicious scripts that may have been introduced through CVE-2026-22720 exploitation, and audit user accounts with permissions to create or modify benchmarks. Remove or remediate any suspicious benchmark entries and ensure the principle of least privilege is enforced for all VMware Aria Operations user roles to mitigate the stored XSS risk associated with CVE-2026-22720.
Initial Access:
Execution:
Privilege Escalation:
Resource Development:
Get through updates and upcoming events, and more directly in your inbox