CISA added a VMware Aria Operations command-injection flaw (CVE-2026-22719) to its Known Exploited Vulnerabilities catalog and has mandated federal remediation by March 24, 2026. Broadcom and VMware released patches and a temporary workaround script but Broadcom says it cannot independently confirm reports of in-the-wild exploitation. #VMwareAriaOperations #CVE-2026-22719
Keypoints
- CISA added CVE-2026-22719 to its KEV catalog and set a March 24, 2026 remediation deadline for federal agencies.
- Broadcom identifies the issue as a command injection that can allow unauthenticated arbitrary command execution and possible remote code execution during migration.
- Broadcom is aware of reports of exploitation but cannot independently verify those claims.
- VMware released security patches on February 24, 2026, and provided a workaround script named aria-ops-rce-workaround.sh for affected appliances.
- Administrators should apply the patches or implement the workaround immediately to mitigate potential active exploitation.