CISA Adds VMware Aria Operations Flaw to Exploited Vulnerabilities Catalog

CISA has added CVE-2026-22719 to the Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation of a command injection flaw in Broadcom VMware Aria Operations that allows unauthenticated remote code execution during product migration operations. Federal agencies have until March 24 to apply the patch.

Vulnerability Details

CVE-2026-22719 carries a CVSS score of 8.1 and affects VMware Aria Operations (formerly vRealize Operations), a monitoring and analytics platform used by enterprises to manage VMware-based virtualization environments. The vulnerability exists in the product's migration functionality — an attacker who can reach the migration endpoint can inject arbitrary commands that execute with the privileges of the Aria Operations service account, without requiring authentication.

Related Vulnerabilities

The original patch, released by Broadcom on February 24, also addressed CVE-2026-22720 (a cross-site scripting vulnerability) and CVE-2026-22721 (a privilege escalation flaw). While only CVE-2026-22719 has been confirmed as actively exploited, CISA recommends patching all three vulnerabilities simultaneously, as the XSS and privilege escalation flaws could be chained with other vulnerabilities to achieve more impactful attacks.

Enterprise Impact

VMware Aria Operations is widely deployed in enterprise data centers, particularly in organizations with large VMware vSphere environments. The vulnerability is most dangerous during migration operations — precisely the scenario where organizations are most likely to have temporary network configurations that expose management interfaces more broadly than normal operations. Organizations planning VMware migrations should ensure the Aria Operations patch is applied before beginning migration activities, and should restrict network access to Aria management interfaces regardless of patch status.