ACCORDING to CISA, the U.S. Cybersecurity and Infrastructure Security Agency, a recently disclosed vulnerability, CVE-2026-22719, has been added to the Known Exploited Vulnerabilities catalog amid active exploitation in the wild. The high-severity flaw (CVSS 8.1) is described as a command-injection bug that could allow an unauthenticated attacker to execute arbitrary commands and potentially achieve remote code execution in Broadcom VMware Aria Operations during a support-assisted migration.
The shortcoming has been addressed alongside CVE-2026-22720 (stored XSS) and CVE-2026-22721 (privilege escalation), with fixes for VMware Cloud Foundation and VMware vSphere Foundation 9.x fixed in 9.0.2[.]0, and VMware Aria Operations 8.x fixed in 8.18.6. For those unable to apply patches immediately, Broadcom provides a shell script workaround (aria-ops-rce-workaround[.]sh) to run as root on each Aria Operations Virtual Appliance node.
There are no details yet on how the vulnerability is being exploited or who is behind the activity, and agencies are required to apply the fixes by 24 March 2026.