Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Unauthenticated Command Injection RCE in VMware Aria Operations

IdentifiersCVE-2026-22719CWE-77· Improper Neutralization of Special…Also known asvmsa_2026_0001

CVE-2026-22719 is a command injection vulnerability in Broadcom VMware Aria Operations (formerly vRealize Operations/vROps). According to Broadcom, a malicious unauthenticated actor can exploit the flaw to execute arbitrary commands, potentially resulting in remote code execution on the Aria Operations appliance. Exploitation is tied to a specific operational state: the vulnerable code path is reachable while a support-assisted product migration is in progress. Reported affected versions include Aria Operations 8.x through 8.18.5 and 9.x through 9.0.1, with related exposure also noted in bundled platforms that include Aria Operations, such as VMware Cloud Foundation, VMware vSphere Foundation, and certain VMware Telco Cloud offerings. Public reporting does not provide deeper technical detail on the exact vulnerable function or parameter handling beyond Broadcom’s classification of the issue as command injection.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands on the VMware Aria Operations appliance and may lead to full remote code execution. Because Aria Operations is a high-trust management and monitoring platform, compromise can expose sensitive operational data and create a foothold in the management plane, with potential downstream impact on managed virtual, cloud, and hybrid infrastructure. CISA added the vulnerability to the KEV catalog based on evidence of active exploitation, indicating real-world attacker interest.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, apply Broadcom’s temporary workaround for CVE-2026-22719. The documented workaround uses the script aria-ops-rce-workaround.sh, which must be copied to and executed as root on each Aria Operations Virtual Appliance node. Broadcom states this workaround is intended only for CVE-2026-22719 and does not mitigate CVE-2026-22720 or CVE-2026-22721. Additional defensive measures supported by the content include restricting Aria Operations management-plane access to trusted administrative networks or VPN-only access, tightening change control around migration windows, and increasing monitoring during support-assisted migration activity.

Remediation

Patch, then assume compromise.

Apply Broadcom/VMware fixed releases referenced in VMSA-2026-0001 and the associated response matrix. The content indicates fixed versions include VMware Aria Operations 8.18.6 and 9.0.2, with bundled platform fixes including VMware Cloud Foundation / VMware vSphere Foundation 9.0.2.0 and VMware Cloud Foundation 5.2.3 where applicable. For other affected bundled offerings, apply the specific Broadcom KB-directed fixes identified in the advisory response matrix. Upgrade is required to fully remediate related issues in the advisory set.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
BroadcomAria Operationsapplication
BroadcomCloud Foundationapplication
BroadcomTelco Cloud Infrastructureapplication
BroadcomTelco Cloud Platformapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

105 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

105 SOURCESView more in app
checkpoint research blogNews
Mar 9, 2026
9th March - Threat Intelligence Report - Check Point Research

High-severity command-injection vulnerability in VMware Aria Operations enabling unauthenticated remote code execution in the context of support-assisted migrations; affects multiple 8.x and 9.x versions.

Read more
risky biz rssNews
Mar 6, 2026
Iranian hackers are scanning for security cameras to aid missile strike

An unauthenticated remote code execution vulnerability in VMware Aria Operations via command injection; patched and reported as exploited in the wild.

Read more
govinfosecurityNews
Mar 5, 2026
Breach Roundup: Patches and Hacks on Cisco Equipment

A high-severity command injection vulnerability in VMware Aria Operations that can lead to arbitrary command execution and potentially remote code execution; listed by CISA as a Known Exploited Vulnerability.

Read more
bank info securityNews
Mar 5, 2026
Breach Roundup: Patches and Hacks on Cisco Equipment

VMware Aria Operations command injection that can lead to arbitrary command execution and potentially remote code execution; unauthenticated under specific conditions; listed in CISA KEV (implying in-the-wild exploitation).

Read more
+18 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity79

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-22719
NVD
nvd.nist.gov/vuln/detail/CVE-2026-22719
MITRE CWE · CWE-77
Improper Neutralization of Special Elements…
Patch
support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
Vendor Advisory
knowledge.broadcom.com/external/article/430349
Release Notes
techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22719