CISA Warns of VMware Aria Operations RCE Flaw Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, tracked as CVE-2026-22719, has been identified as actively exploited in attacks, posing a significant risk to organizations using the platform.
Broadcom, the company behind VMware Aria Operations, has acknowledged reports of the vulnerability being exploited but cannot independently confirm these claims. The platform is an essential enterprise monitoring tool, enabling organizations to monitor server, network, and cloud infrastructure performance and health.
The vulnerability was initially disclosed and patched on February 24, 2026, as part of VMware's VMSA-2026-0001 advisory, rated as 'Important' with a CVSS score of 8.1. CISA has mandated that federal civilian agencies address this issue by March 24, 2026.
Broadcom's advisory highlights a command injection vulnerability (CVE-2026-22719 ) that enables unauthenticated attackers to execute arbitrary commands on vulnerable systems. This could lead to remote code execution during VMware Aria Operations' support-assisted product migration process.
To mitigate the risk, Broadcom released security patches and a temporary workaround script named 'aria-ops-rce-workaround.sh'. This script, executed as root on each Aria Operations appliance node, disables components of the migration process that could be exploited. It removes the file '/usr/lib/vmware-casa/migration/vmware-casa-migration-service.sh' and the corresponding sudoers entry, preventing unauthorized root access.
Admins are urged to apply the patches or use the workaround promptly, especially if they suspect active exploitation. For further insights, the Red Report 2026 explores the decline in ransomware encryption, attributing it to evolving malware techniques.
