Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
CISA added CVE-2026-22719 to the Known Exploited Vulnerabilities catalog on March 3, 2026, creating a mandatory March 24 remediation deadline for FCEB agencies. That deadline has now passed.
Changelog
| Date | Summary |
|---|---|
| 27 Mar 2026 | Initial publication covering CISA KEV addition and patch advisory. |
On March 3, CISA added CVE-2026-22719 to the Known Exploited Vulnerabilities catalog. The flaw is a command injection vulnerability in VMware Aria Operations – formerly vRealize Operations, the platform VMware customers use to monitor and manage their virtualised infrastructure. CVSS score: 8.1.
The patching deadline for Federal Civilian Executive Branch agencies was March 24. That date has passed.
What the vulnerability is
An unauthenticated attacker can inject arbitrary commands while a support-assisted product migration is in progress, potentially leading to remote code execution. The “unauthenticated” part matters: this does not require a valid account. If the migration workflow is active and the appliance is reachable, an attacker has a path in.
Aria Operations sits at the centre of VMware infrastructure management. It ingests performance data, surfaces recommendations, and handles capacity planning across vSphere environments. Compromising it does not just give an attacker a foothold – it gives them visibility into your entire virtualisation layer.
The signal problem
Broadcom published an advisory acknowledging reports of potential exploitation in the wild, while noting it cannot independently confirm their validity. That is an unusual position to be in publicly.
CISA’s KEV catalog has an explicit requirement: a vulnerability only gets listed if there is evidence of active exploitation. CISA confirmed exploitation. Broadcom said it could not. Those two statements are not easy to reconcile, and the details on who is exploiting this, or at what scale, have not been made public.
This matters because it shapes how urgently you interpret the signal. CISA’s listing is the primary confirmation here, and its track record on that standard is reasonably solid.
What else is in the advisory
Broadcom patched two additional vulnerabilities in the same advisory:
- CVE-2026-22720 – a stored cross-site scripting vulnerability
- CVE-2026-22721 – a privilege escalation vulnerability that could result in administrative access
Neither of the two additional CVEs appears on the CISA KEV list. The focus is on 22719.
Affected versions and patches
| Product | Affected | Fixed in |
|---|---|---|
| VMware Cloud Foundation / VMware vSphere Foundation 9.x.x.x | 9.x | 9.0.2.0 |
| VMware Aria Operations | 8.x | 8.18.6 |
If you cannot patch immediately
Broadcom has published a workaround script: aria-ops-rce-workaround.sh. It must be run as root on each Aria Operations Virtual Appliance node. The script is available at knowledge.broadcom.com/external/article/430349.
Running the workaround is not the same as patching. It buys time. Patch when you can.
The window has already closed for federal agencies
FCEB agencies were required to remediate by March 24. That deadline is gone. If you run VMware Aria Operations in a federal environment and have not patched, you are out of compliance and sitting on a vulnerability CISA considers actively exploited.
For everyone else: this is a CVSS 8.1 unauthenticated RCE in infrastructure management tooling. The exploitation evidence is thin on public detail, but it was strong enough for CISA to list it. Three weeks since the original disclosure is not a long runway. Apply the patch or run the workaround today.