The U.S. cybersecurity agency has issued a fresh warning for organizations using VMware products. CISA has officially added a critical VMware vulnerability, CVE-2026-22719, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation in the wild.
This move signals serious risk for enterprises running VMware environments, especially those relying on VMware Aria Operations for infrastructure monitoring and management. Businesses are now urged to act quickly to apply patches and reduce exposure.
The vulnerability, tracked as CVE-2026-22719, carries a high CVSS score of 8.1, making it a significant security concern. It affects VMware Aria Operations, a widely used platform for monitoring and managing IT infrastructure across virtual and cloud environments.
Security researchers have identified the flaw as a command injection vulnerability. In simple terms, this means an attacker could send specially crafted input to the system, forcing it to execute unauthorized commands.
Even more concerning, the flaw does not require authentication. A remote attacker can exploit the issue without valid login credentials. If successfully exploited, it may allow:
Execution of arbitrary commands
Remote code execution (RCE)
Full compromise of affected systems
According to an advisory from Broadcom, the vulnerability can be triggered during a support-assisted product migration process. During this period, attackers may exploit the flaw to execute malicious code remotely.
When CISA adds a vulnerability to its KEV catalog, it means there is credible evidence of active exploitation. The KEV list serves as a priority alert for both public and private sector organizations.
The addition of CVE-2026-22719 indicates:
Real-world attacks may already be happening
Attackers are actively targeting vulnerable systems
Immediate remediation is strongly recommended
Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply patches by March 24, 2026. While the directive directly applies to U.S. federal agencies, private organizations should treat this deadline as an urgent benchmark for patching.
In addition to CVE-2026-22719, VMware also fixed two other security flaws:
CVE-2026-22720 – A stored cross-site scripting (XSS) vulnerability
CVE-2026-22721 – A privilege escalation flaw that could grant administrative access
These vulnerabilities further increase the risk landscape for affected VMware deployments. When combined, they could allow attackers to escalate access and maintain persistence inside compromised networks.
The vulnerabilities impact the following VMware products:
VMware Cloud Foundation 9.x.x.x – Fixed in version 9.0.2.0
VMware vSphere Foundation 9.x.x.x – Fixed in version 9.0.2.0
VMware Aria Operations 8.x – Fixed in version 8.18.6
Organizations running older versions are at high risk if patches are not applied immediately.
For customers who cannot apply updates right away, Broadcom has provided a temporary workaround. A shell script named: aria-ops-rce-workaround.sh
can be downloaded and executed as root on each Aria Operations Virtual Appliance node.
While this script may help reduce risk, it is not a permanent fix. Security experts strongly recommend applying official patches as soon as possible.
At this time, there are limited details about how attackers are exploiting CVE-2026-22719. It remains unclear:
Who is behind the attacks
What industries are being targeted
The scale of exploitation
Broadcom has acknowledged reports of potential exploitation but stated it cannot independently confirm the claims. However, CISA’s decision to add the flaw to the KEV catalog suggests credible threat intelligence supports active abuse.
Organizations should assume threat actors are scanning for exposed VMware Aria Operations systems.
VMware Aria Operations is widely deployed in enterprise environments for monitoring performance, optimizing workloads, and managing infrastructure health. Because it often has high-level visibility and system access, it becomes an attractive target for cybercriminals.
If attackers gain remote code execution on this platform, they may:
Move laterally within corporate networks
Access sensitive data
Disrupt virtual infrastructure
Deploy ransomware
Given the rise in ransomware and nation-state cyberattacks, vulnerabilities in infrastructure management tools present serious business risks.
To protect your organization, follow these steps:
Apply patches immediately to affected VMware products.
Review system logs for unusual command execution activity.
Restrict external access to VMware Aria Operations interfaces.
Implement network segmentation to limit lateral movement.
Monitor threat intelligence feeds for updates related to CVE-2026-22719 exploitation.
Proactive vulnerability management remains critical in today’s threat landscape.
The addition of CVE-2026-22719 to CISA’s KEV catalog highlights the growing risk to enterprise virtualization environments. With active exploitation reported, delaying patch deployment could expose organizations to severe compromise.
Security leaders, IT administrators, and cloud infrastructure teams should treat this vulnerability as a top priority. Immediate remediation and strong monitoring controls are essential to prevent remote code execution attacks targeting VMware environments.
Interesting Article : Microsoft Confirms MSHTML Zero-Day CVE-2026-21513 Used in APT28 Attack