Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-22719: VMware Aria Operations Command Injection Added to CISA KEV
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
Jun 05, 2026
SOCRadar® Cyber Intelligence Inc. | HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
Jun 04, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Mar 04, 2026
5 Mins Read
Moon

CVE-2026-22719: VMware Aria Operations Command Injection Added to CISA KEV

Broadcom previously disclosed and patched CVE-2026-22719, a command injection issue in VMware Aria Operations (formerly vRealize Operations) that can enable unauthenticated Remote Code Execution (RCE) under a specific operational condition. This matters now because CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, which signals confirmed exploitation activity in real-world environments.

What Is CVE-2026-22719?

CVE-2026-22719 is a command injection vulnerability in VMware Aria Operations that can lead to unauthenticated RCE. VMware’s CVSS rating is 8.1 (High) with the vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting that it is reachable over the network and requires no credentials, but also that exploitation is not “always-on.”

Details of CVE-2026-22719 (SOCRadar’s Vulnerability Intelligence)

Details of CVE-2026-22719 (SOCRadar’s Vulnerability Intelligence)

The practical limiter is important. Broadcom states the vulnerable behavior is reachable only while a support-assisted product migration is in progress, which is why the Attack Complexity is rated High. In other words, many vulnerable systems may not be continuously exploitable, but the risk spikes during migration windows.

Which VMware Aria Operations Versions Are Affected?

Broadcom’s guidance identifies the following directly impacted versions:

  • Aria Operations 8.x: up to and including 8.18.5
  • Aria Operations 9.x: up to and including 9.0.1

Broadcom also lists exposure for bundled platforms where Aria Operations is included, including VMware Cloud Foundation (VCF), VMware vSphere Foundation, and VMware Telco Cloud offerings. If you run Aria Operations as part of a bundle, the safest approach is to follow Broadcom’s “response matrix” for your platform line, not just the standalone Aria Ops version number.

How Does Exploitation Work In Real Environments?

At a high level, attackers abuse command injection to execute arbitrary commands on the Aria Operations appliance. The defining operational condition is that exploitation is tied to the migration workflow, specifically during a support-assisted product migration.

That requirement shapes defensive priority. If your organization is actively migrating Aria Operations or has a migration scheduled, treat that time period as your highest-risk window. If you are not migrating, you should still patch, but your immediate exposure depends heavily on whether an attacker can reach the management interface and whether a migration state exists to trigger the vulnerable path.

Is CVE-2026-22719 Being Exploited In the Wild?

Yes, based on CISA’s posture. CISA added CVE-2026-22719 to the KEV catalog on March 3, 2026, which indicates CISA has evidence of real-world exploitation.

Multiple security news reports have repeated the “exploited in the wild” framing, but at the time of writing, there is still no widely published write-up describing actors, targeting scale, or a step-by-step exploitation chain.

Is There A Public PoC or Turnkey Exploit Code?

At the time of writing, there does not appear to be a widely referenced public proof-of-concept exploit (such as a commonly cited GitHub repository or Metasploit module) for CVE-2026-22719 in mainstream reporting.

What is publicly available is Broadcom’s workaround shell script named aria-ops-rce-workaround.sh. Defenders should treat this as a mitigation artifact rather than exploit code. Broadcom also notes that this workaround is specific to CVE-2026-22719 and does not address other vulnerabilities mentioned in the same advisory (including CVE-2026-22720 and CVE-2026-22721).

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

When vulnerabilities like CVE-2026-22719 enter CISA’s Known Exploited Vulnerabilities (KEV) catalog, security teams must quickly determine whether their environments are at risk.

SOCRadar’s Cyber Threat Intelligencehelps organizations track vulnerabilities that are actively exploited, referenced by threat actors, or tied to real attack activity. By combining exploitation signals, KEV alerts, and vulnerability context, security teams can prioritize patching efforts and focus on the flaws that pose the greatest operational risk.

What Should Defenders Do Now Before the KEV Deadline?

CISA’s KEV remediation due date for federal agencies is March 24, 2026. Even for non-federal organizations, that date is a useful outside bound for urgency because it reflects confirmed exploitation and a short operational response window.

Patch First: Move To Fixed Versions 

Broadcom’s fixed releases for standalone Aria Operations are:

  • Aria Operations 8.18.6
  • Aria Operations 9.0.2

For bundled platforms (VCF, vSphere Foundation, Telco), apply the vendor guidance for the fixed bundle version (for example, Broadcom calls out 9.0.2.0 for certain VCF/vSphere Foundation contexts).

If You Cannot Patch Immediately: Use The Workaround Script 

If you cannot upgrade fast enough, Broadcom provides a workaround procedure using aria-ops-rce-workaround.sh, run as root on each Aria Operations Virtual Appliance node. Treat this as temporary risk reduction, not closure, and still plan the upgrade path.

Reduce Exposure During Migrations 

Because exploitation is tied to a migration-in-progress condition, operational controls matter:

  • Restrict Aria Operations management access to trusted admin networks or VPN only.
  • Tighten change control around migration windows, including who can initiate or modify migration workflows.
  • Treat Aria Operations as a high-trust management plane system, and monitor it accordingly during any migration activity.

Fast Triage Checklist 

  1. Inventory Aria Operations instances and flag anything ≤ 8.18.5 or ≤ 9.0.1.
  2. Identify whether any support-assisted migrations are active or scheduled.
  3. Upgrade to 8.18.6 or 9.0.2 (or the fixed bundle release).
  4. If patching is delayed, apply aria-ops-rce-workaround.sh and plan the upgrade anyway.
  5. Use March 24, 2026 as a hard deadline for risk acceptance because the CVE is in CISA KEV.