VMware Aria Operations RCE Flaw (CVE-2026-22719) Added to CISA's Known Exploited Vulnerabilities Catalog

CISA Adds VMware Aria RCE Flaw to 'Must-Patch' KEV List, Confirming Active Exploitation

HIGH
March 6, 2026
March 7, 2026
4m read
VulnerabilityCyberattackPatch Management

Related Entities(initial)

Products & Tech

VMware Aria Operations

CVE Identifiers

CVE-2026-22719
HIGH
CVSS:8.1
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1059.004Execution

Command and Scripting Interpreter: Unix Shell

Full Report(when first published)

Executive Summary

On March 6, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog, providing official confirmation of its active exploitation in the wild. This vulnerability is a high-severity (CVSS 8.1) command injection flaw affecting Broadcom's VMware Aria Operations (formerly vRealize Operations). While exploitation requires a specific precondition—a support-assisted product migration must be underway—attackers are successfully identifying and compromising systems during this vulnerable period. A successful exploit allows an unauthenticated attacker to execute arbitrary code remotely, posing a severe threat to data center and cloud environments managed by the platform.

Vulnerability Details

CVE-2026-22719 is a command injection vulnerability. It allows an attacker to inject and execute arbitrary operating system commands on the underlying server hosting VMware Aria Operations. The attack vector is unauthenticated, meaning the threat actor does not need valid credentials to exploit it. However, the vulnerability is only exposed during a narrow window of opportunity when an administrator has initiated a support-assisted product migration process. Despite this limitation, its addition to the KEV catalog proves that this scenario is being actively targeted by threat actors.

Affected Systems

  • Broadcom VMware Aria Operations (formerly vRealize Operations)
  • Organizations should consult the official VMware Security Advisory VMSA-2026-XXXX for specific affected versions.

Exploitation Status

CISA has confirmed that CVE-2026-22719 is being actively exploited. The addition to the KEV catalog on March 6, 2026, serves as a strong signal to all organizations to prioritize remediation. Federal Civilian Executive Branch (FCEB) agencies are required to patch this vulnerability by a specific deadline set by CISA.

Impact Assessment

Compromising a management and observability platform like VMware Aria Operations provides a powerful foothold for an attacker. Potential impacts include:

  • Broad Environmental Control: Attackers can leverage the platform's legitimate functions to manipulate virtual machines, alter configurations, and disable security controls across the entire managed environment.
  • Data Exfiltration: The compromised appliance can be used as a pivot point to access and exfiltrate sensitive data from connected vSphere environments and other integrated systems.
  • Persistence: Attackers can establish deep persistence within the management layer of the data center, which is often less scrutinized than production workloads, making detection and eradication difficult.
  • Lateral Movement: The flaw provides an ideal entry point for moving laterally to other critical systems like vCenter Server, backup solutions, and domain controllers.

Detection Methods

  • Log Analysis: Monitor VMware Aria Operations logs for any unusual or unexpected command executions, particularly during or shortly after a migration process. Look for shell commands (sh, bash) being spawned by the application's user context.
  • Network Monitoring: Analyze network traffic to and from the Aria Operations appliance. Be alert for connections to unknown external IP addresses or the transfer of large volumes of data.
  • Vulnerability Scanning: Use an up-to-date vulnerability scanner to identify instances of Aria Operations in your environment and confirm if they are patched against CVE-2026-22719.

Remediation Steps

  1. Prioritize Patching: Immediately apply the patches provided by Broadcom/VMware to all vulnerable Aria Operations instances. Due to its KEV status, this should be treated as an emergency change.
  2. Restrict Access: If patching cannot be performed immediately, severely restrict network access to the Aria Operations management interface. Ensure it is not exposed to the internet and is only accessible from a secure management network.
  3. Monitor Migration Activities: If a migration is necessary on an unpatched system, conduct heightened real-time monitoring of the appliance's activity for the duration of the process. Treat any anomalous behavior as a potential compromise.
  4. Harden Management Tools: This incident underscores the need to treat infrastructure management tools as Tier 0 assets. They should be included in the most aggressive patching cycles, protected by multi-factor authentication, and have their access tightly controlled.

Timeline of Events

1
March 6, 2026
CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog.
2
March 6, 2026
This article was published

Article Updates

March 7, 2026

New details on affected versions and cyber observables for detecting active exploitation of CVE-2026-22719 in VMware Aria Operations.

Update Sources:
diesec.comTop 5 Cybersecurity News Stories March 06, 2026
packetwatch.comCyber Threat Intelligence Report | 3/9/2026

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Applying the vendor-supplied patch is the most direct and effective mitigation.

Limit Access to Resource Over Network

M1035enterprise

Restricting access to the management interface minimizes the opportunity for an attacker to exploit the flaw.

Application Isolation and Sandboxing

M1048enterprise

Running management applications in an isolated network segment can help contain the blast radius if a compromise occurs.

Timeline of Events

1
March 6, 2026

CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog.

Sources & References(when first published)

Top 5 Cybersecurity News Stories March 06, 2026
DIESECMarch 6, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CVE-2026-22719VMwareAria OperationsvRealizeCISA KEVCommand InjectionRCE

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.