Broadcom Patches VMware Aria Operations Flaws Enabling RCE During Support-Assisted Migrations
Broadcom issued advisory VMSA-2026-0001 for VMware Aria Operations (formerly vRealize Operations), warning of three vulnerabilities affecting Aria Operations and bundled platforms including VMware Cloud Foundation and VMware Telco Cloud. The most severe issue, CVE-2026-22719 (CVSS 8.1), is a command injection flaw that can be exploited by an unauthenticated attacker to execute arbitrary commands and potentially achieve remote code execution specifically while a support-assisted product migration is in progress. Broadcom released patches and also documented a workaround for CVE-2026-22719 in its response matrix/KB guidance.
The advisory also covers CVE-2026-22720 (CVSS 8.0), a stored XSS issue where a user with privileges to create custom benchmarks can inject script to perform administrative actions, and CVE-2026-22721 (CVSS 6.2), a privilege escalation path where a user with vCenter access to Aria Operations can elevate to administrative control. Researchers Sven Nobis and Lorin Lehawany of ERNW were credited with reporting at least part of the findings. Impacted deployments include Aria Operations 8.x and related bundles across Cloud Foundation and Telco Cloud product lines; Broadcom’s fixed versions include updates such as Aria Operations 8.18.6 and Cloud Foundation 9.0.2.0, and organizations are advised to prioritize upgrades due to the lack of workarounds for the XSS and privilege-escalation issues.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-22719 vulnerability record is published
On 2026-02-25, a public vulnerability record for CVE-2026-22719 described the unauthenticated command injection flaw in VMware Aria Operations as leading to arbitrary command execution and possible remote code execution during support-assisted migration. The record pointed users to Broadcom's fixed-version matrix and workaround guidance.
Canadian Centre for Cyber Security issues alert on VMware advisory
On 2026-02-24, the Canadian Centre for Cyber Security published alert AV26-162 referencing VMSA-2026-0001 and warning that versions prior to Aria Operations 8.18.6 and Cloud Foundation/vSphere Foundation 9.0.2.0 were affected. It urged administrators to review the advisory and apply the necessary updates.
Broadcom releases patches for affected VMware Aria and foundation products
Broadcom released fixes for the disclosed flaws, including Aria Operations 8.18.6 and VMware Cloud Foundation and vSphere Foundation 9.0.2.0. The advisory noted only a limited workaround for CVE-2026-22719, increasing the need to apply updates for the remaining issues.
Broadcom discloses VMware Aria Operations vulnerabilities in VMSA-2026-0001
On 2026-02-24, Broadcom published security advisory VMSA-2026-0001 covering three vulnerabilities in VMware Aria Operations and related VMware Cloud Foundation and vSphere Foundation products. The issues were tracked as CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721, including command injection, stored XSS, and privilege escalation impacts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
CVE-2026-22719 - VMware Aria Operations command injection vulnerability
cvefeed.io
Open sourceVMware security advisory (AV26-162) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceVMware Aria Operations flaws could enable remote attacks
securityaffairs.com
Open sourceMultiple VMware Aria Vulnerabilities Allow Remote Code Execution Attacks
cybersecuritynews.com
Open sourceCritical VMware Aria Operations Flaw Allows RCE During System Upgrades
securityonline.info
Open sourceSupport Content Notification - Support Portal - Broadcom support portal
support.broadcom.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
VMware vCenter Flaws Prompt Patches for RCE and Command Execution Risks
Broadcom issued **VMSA-2025-0010** to fix four vulnerabilities across VMware ESXi, vCenter Server, Workstation, Fusion, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure, led by **CVE-2025-41225**, an authenticated command-execution flaw in **vCenter Server** with a **CVSS 8.8** score. According to the advisory, an attacker able to create or modify alarms and run script actions could exploit the bug, while additional fixes address **CVE-2025-41226** and **CVE-2025-41227** denial-of-service issues and **CVE-2025-41228**, a reflected **XSS** flaw affecting ESXi and vCenter Server. VMware said patches are available for all affected products and that **no workarounds** exist. The latest advisory follows earlier VMware warnings over serious **vCenter Server** weaknesses, including **VMSA-2024-0012**, which disclosed **CVE-2024-37079**, **CVE-2024-37080**, and **CVE-2024-37081** as memory-management and corruption flaws that could enable **remote code execution** in vCenter services. VMware said at the time it had no evidence of active exploitation, but urged customers to apply the listed patch versions because no official mitigations were provided; public GitHub material later appeared referencing **CVE-2024-37081**, underscoring continued security attention on vCenter exposure.
May 26, 2026
Pwn2Own VMware Hypervisor Escape and Privilege Escalation Vulnerabilities
Broadcom VMware issued fixes for multiple **Pwn2Own-disclosed** local privilege escalation flaws affecting **ESXi** and **Workstation**, where attackers with code execution inside a guest can potentially execute arbitrary code in the **hypervisor** context. The disclosed issues include **CVE-2025-41236** in the **VMXNET3** virtual device on ESXi, caused by an integer overflow; **CVE-2025-41237** in **VMCI** on ESXi, caused by an integer underflow; and **CVE-2025-41238** in the **PVSCSI** virtual device on Workstation, caused by improper validation of user-controlled length data leading to a heap-based buffer overflow. All three advisories assign a **CVSS 8.2** score and describe the same exploitation precondition: the attacker must already be able to run high-privileged code on the guest OS. The Aria Operations privilege-escalation research is a **different VMware product issue** and does not describe the same disclosure set. That separate report covers **CVE-2025-41245** and **CVE-2026-22721**, where a vCenter user mapped by default to Aria’s **PowerUser** role could escalate to an Aria administrator and potentially gain access across integrated VMware environments. By contrast, the relevant Pwn2Own advisories focus specifically on guest-to-hypervisor escape paths in ESXi and Workstation, with Broadcom publishing updates through the same security advisory channel and crediting researchers from **STAR Labs**, **Synacktiv**, and **REverse Tactics** for the findings.
Mar 21, 2026
Critical RCE Flaws Disclosed in Ivanti CSA and VMware vCenter
Critical vulnerabilities were disclosed in **Ivanti Cloud Services Application (CSA)** and **VMware vCenter Server** products, exposing enterprise management platforms to remote compromise. Ivanti said CSA `5.0.2` and earlier contain three flaws—`CVE-2024-11639`, `CVE-2024-11772`, and `CVE-2024-11773`—that can enable authentication bypass, remote code execution, and arbitrary SQL query execution through the administrator browser console, with the most severe issues rated **CVSS 10.0**. Ivanti released fixes in CSA `5.0.3` and urged customers to update immediately. VMware also disclosed two vulnerabilities affecting **vCenter Server** and **VMware Cloud Foundation**: `CVE-2024-38812`, a heap overflow that can allow arbitrary code execution, and `CVE-2024-38813`, which can enable privilege escalation to root. The flaws affect vCenter Server `7.0` and `8.0` as well as VMware Cloud Foundation `4.x` and `5.x`, and can be exploited remotely over the network using specially crafted packets. In both vendor notices, no active exploitation had been confirmed at the time of disclosure, but organizations and service providers were advised to apply vendor-fixed versions without delay because successful attacks could result in full administrative compromise.
Apr 24, 2026