Broadcom published security advisory VMSA-2026-0001 on February 24, 2026, disclosing three vulnerabilities in VMware Aria Operations. The most severe of the three - CVE-2026-22719 - is a command injection flaw carrying a CVSSv3 score of 8.1 (High). No authentication is required to exploit it, making it a critical concern for any enterprise running affected VMware products.

What Is CVE-2026-22719?

CVE-2026-22719 is a command injection vulnerability (CWE-77) embedded in VMware Aria Operations' support-assisted migration workflow. The root cause is improper input validation: user-controlled data is passed into system commands without adequate sanitization of special characters such as ;, |, &, and backticks.

An unauthenticated attacker with network access to the affected system can break out of the intended command context and execute arbitrary OS-level commands - effectively achieving remote code execution (RCE) on the host. The one limiting factor is timing: exploitation requires that a support-assisted product migration be in progress. This narrows the attack window but does not eliminate the risk, particularly in large enterprise environments where migrations are routine.

Successful exploitation could result in full system compromise, unauthorized access to sensitive operational data, configuration tampering, and lateral movement through virtualized infrastructure.

What's Also in VMSA-2026-0001?

The advisory covers two additional flaws bundled with CVE-2026-22719:

CVE-2026-22720 - Stored Cross-Site Scripting (XSS), CVSSv3 8.0 (High). Allows a malicious actor to inject persistent scripts into the Aria Operations interface, affecting users who view compromised content.

CVE-2026-22721 - Privilege Escalation, CVSSv3 6.2 (Moderate). A malicious actor with existing vCenter privileges can leverage this to gain administrative access within Aria Operations. While rated moderate, privilege escalation flaws are frequently weaponized as stepping stones in multi-stage attacks.

Broadcom credited security researchers Sven Nobis and Lorin Lehawany of ERNW Enno Rey Netzwerke GmbH for reporting CVE-2026-22721.

Who Is Affected?

The following Broadcom/VMware products are confirmed vulnerable:

  • VMware Aria Operations 8.x (up to and including 8.18.5)
  • VMware Aria Operations 9.x (up to and including 9.0.1)
  • VMware Cloud Foundation Operations 9.x
  • VMware Telco Cloud Platform
  • VMware Telco Cloud Infrastructure

VMware Aria Operations is deeply embedded in enterprise environments globally - from telecom operators and financial institutions to hyperscale cloud deployments. The attack surface here is not small.

Why This Matters for Enterprise Teams

VMware Aria Operations sits at the heart of infrastructure monitoring, automation, and visibility across hybrid and multi-cloud environments. Compromising it is not a minor incident - it can hand an attacker the keys to an organization's entire virtualized infrastructure.

The unauthenticated nature of CVE-2026-22719 is what elevates this beyond a typical enterprise patch cycle. Most internal tooling requires at least basic credentials to be exploited. This one does not. Any attacker with network reach to the management interface during an active migration window can trigger it.

That risk window - between patch disclosure and full enterprise remediation - is precisely when exploitation tends to occur.

Patch and Mitigation Steps

Primary action: Upgrade to the patched versions listed in VMSA-2026-0001 immediately. Broadcom has released fixed releases for all affected product lines. Consult the official advisory Response Matrix for your specific version.

If you cannot patch immediately:

Broadcom has published a dedicated workaround script (aria-ops-rce-workaround.sh) via Knowledge Base Article 430349, applicable to Aria Operations 8.18.x and 9.0.x. Important caveats:

  • The workaround only addresses CVE-2026-22719
  • It does not mitigate CVE-2026-22720 or CVE-2026-22721
  • Patching to the fixed release remains the only complete remediation

Additional hardening steps:

  1. Restrict network access to Aria Operations management interfaces - allow only trusted IPs
  2. Implement network segmentation to isolate Aria Operations management servers
  3. Postpone non-critical support-assisted migrations until patches are fully applied
  4. Audit access controls within vCenter and Aria Operations
  5. Increase monitoring around the Aria Operations management plane for anomalous activity

Check Your Exposure

To verify if your environment is affected:

  1. Identify your Aria Operations version: Administration > Support > About
  2. Compare against the affected version ranges (8.x ≤ 8.18.5 or 9.x ≤ 9.0.1)
  3. If affected, apply either the workaround script or the full patch immediately
  4. Verify fix is confirmed by rechecking the version post-update

Bottom Line

CVE-2026-22719 is a high-severity, unauthenticated command injection vulnerability in VMware Aria Operations. It can lead to full remote code execution during product migrations, with no credentials required.

Patches are available. Broadcom has also provided a targeted workaround script for environments that cannot patch immediately. There is no excuse to delay - the risk window is open from the moment this advisory is public.

Priority: High for all VMware Aria Operations deployments. Critical for environments with active or planned support-assisted migrations.

---

Sources:

  • Broadcom VMSA-2026-0001 Security Advisory (February 24, 2026)
  • Broadcom Knowledge Base Article 430349
  • VMware Aria Operations 8.18.6 Release Notes
  • SentinelOne Vulnerability Database
  • Tenable CVE-2026-22719 Record
  • Veeam Community Security Bulletin