CISA Warns of Exploited VMware Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability in Broadcom’s VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2026-22719, is currently being leveraged by threat actors in the wild, posing a significant risk to enterprise cloud environments.

This high-severity security issue (CVSS score: 8.1) is characterized as a command injection vulnerability. It resides within the IT operations management platform, which organizations use for monitoring and optimizing virtualized infrastructure. The flaw allows an unauthenticated attacker to bypass security protocols and gain unauthorized access to internal systems.

Specifically, the vulnerability can be triggered during a support-assisted product migration. A malicious actor can exploit this window to execute arbitrary commands, which may lead to full Remote Code Execution (RCE). Because it requires no prior authentication, the barrier to entry for attackers is dangerously low, making it a high-priority target for cybercriminal groups.

Broadcom initially patched the flaw in late February 2026. However, reports of potential exploitation surfaced shortly thereafter, prompting CISA's intervention. The agency’s decision to include it in the KEV catalog mandates that all Federal Civilian Executive Branch (FCEB) agencies apply the necessary security updates by March 24, 2026.

The vulnerability impacts multiple versions of Aria Operations (8.x and 9.x), as well as VMware Cloud Foundation and Telco Cloud platforms. Organizations are urged to upgrade to version 8.18.6 or 9.0.2 immediately. For those unable to patch instantly, Broadcom has released a shell script as a temporary workaround to mitigate the RCE risk.

Security experts note that VMware products are frequent targets for nation-state actors and ransomware gangs due to their central role in data center management. Compromising Aria Operations could allow an attacker to move laterally through a network, escalating privileges and exfiltrating sensitive corporate data.

As the deadline for federal compliance approaches, private sector organizations are also strongly encouraged to prioritize this update. In an era of escalating cloud-based threats, maintaining the integrity of infrastructure management tools is no longer optional—it is a foundational requirement for digital resilience.