The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog to include a new critical flaw affecting VMware Aria Operations. This inclusion highlights the active exploitation of the vulnerability identified as CVE-2026-22719, which poses a significant risk to enterprise security.
Understanding the Vulnerability
CVE-2026-22719 has been classified as a command injection vulnerability with a high severity score of 8.1 on the CVSS scale. This flaw enables unauthorized attackers to execute arbitrary commands, potentially leading to remote code execution during product migration processes in VMware Aria Operations. VMware’s advisory from late last month emphasized the severity of this issue.
In addition to this, two other vulnerabilities have been addressed: CVE-2026-22720, a stored cross-site scripting vulnerability, and CVE-2026-22721, which could allow privilege escalation and administrative access.
Affected Products and Solutions
The vulnerabilities impact specific versions of VMware products, including VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x, which have been resolved in version 9.0.2.0, and VMware Aria Operations 8.x, fixed in version 8.18.6. For those unable to immediately implement the patch, VMware provides a shell script workaround to mitigate the risk.
Despite these measures, details on the exploitation methods, responsible parties, and overall scale remain unclear. Broadcom acknowledged reports of exploitation but has yet to confirm them independently.
Urgency for Federal Agencies
Given the active exploitation threats, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary patches by March 24, 2026. This urgent directive underscores the critical nature of the vulnerability and the need for immediate action to safeguard against potential cybersecurity threats.
As developments continue, organizations are advised to stay informed and ensure their systems are updated to prevent compromise from these known vulnerabilities.
