VMWARE Aria Operations is being exploited via a high‑severity command injection flaw, CVE-2026-22719, described as enabling an unauthenticated attacker to execute arbitrary commands and potentially achieve remote code execution in affected cloud environments. According to CISA, the CVE is rated 8.1 on the CVSS scale and affects Aria Operations versions prior to 8.18.6, with disclosures first made on 24 February alongside two other flaws.
On 3 March, CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities catalog, and Broadcom subsequently updated its advisory, noting that it cannot independently confirm exploitation. Vulnerable deployments include Aria Operations up to 8.18.5 and 9.0.1, with a patch recommended to 8.18.6 or VCF 9.0.2[.]0, or users can apply a workaround if patching takes longer than 48 hours.
The article also highlights the broader risk: Aria Operations acts as a central management point, potentially exposing credentials, network topology and monitoring across the virtual estate if compromised, with claims that Scattered Spider, Qilin and Lazarus Group have targeted VMware management infrastructure.