CISA has added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalogue. The vulnerability affects Broadcom’s VMware Aria Operations (formerly vRealize Operations, vROps). It is named Broadcom VMware Aria Operations Command Injection Vulnerability and allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support-assisted product migration.
This is a command injection vulnerability with a high potential impact. An unauthenticated attacker can inject and execute commands on affected systems, potentially achieving remote code execution during support-assisted product migration. The CVSS score is 8.1 (High). A patch is available from Broadcom; refer to the Broadcom security advisory and the NVD entry for details. Patch status is listed as available, and organisations should review the vendor advisory at the provided URLs for mitigation steps and affected versions.
Exploitation and risk: Active exploitation has been confirmed in the wild, consistent with KEV. There is no confirmed ransomware campaign use associated with this CVE. The remediation due date is 24 March 2026, after which organisations should have completed applying mitigations or upgrading to patched software per vendor guidance. While ransomware campaigns are not currently reported, the KEV designation indicates observable exploitation activity requiring prompt action.
Required action: CISA’s remediation action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Directly affected: FCEB agencies are specifically addressed, but all organisations are advised to review their exposure and plan mitigations accordingly.
For full details, see the NVD entry and the CISA KEV catalogue.