CISA warns of remote code execution risk in VMware Aria Operations

Threat summary

On March 3, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another critical Broadcom VMware vulnerability to its Known Exploited Vulnerabilities (KEV) catalog noting active exploitation. That same day, Broadcom acknowledged reports of exploitation but stated it cannot independently verify them.

The vulnerability, tracked as CVE-2026-22719, was disclosed and patched on February 24, in VMware advisory VMSA-2026-0001. It carries a Common Vulnerability Scoring System (CVSS) score of 8.1 and is classified as high severity.

The flaw affects VMware Aria Operations, formerly vRealize Operations (vROps), an operations management and analytics platform used to monitor performance, capacity, and health across on-premises and hybrid cloud environments. It also affects VMware Cloud Foundation, VMware Telco Cloud Infrastructure, and VMware Telco Cloud Platform, which integrate Aria Operations capabilities into broader private cloud and telecommunications stacks.

According to the National Vulnerability Database (NVD) configuration data, affected versions include:

• VMware Aria Operations from 8.0 up to but excluding 8.18.6
• VMware Cloud Foundation from 4.0 up to but excluding 5.2.3
• VMware Cloud Foundation from 9.0 up to but excluding 9.0.2.0
• VMware Telco Cloud Infrastructure from 2.2 up to and including 3.0
• VMware Telco Cloud Platform from 4.0 up to and including 5.1

Analysis and recommendations

The flaw allows an unauthenticated user to run commands on the system during a process VMware describes as “support‑assisted product migration.”

This refers to a migration workflow that is initiated when VMware Support is involved in moving an Aria Operations deployment between versions or environments. During this workflow, the product enables additional migration‑related components that are not active during normal operation. These components exist to facilitate data transfer, configuration handling, and other steps required to complete the migration.

The vulnerable code path is active only while the support-assisted migration workflow is running. In practical terms, the exposure window opens when the system enters this migration state and closes once the workflow ends. If an adversary can reach the system during that period, they can exploit the flaw to inject commands and gain remote code execution on the Aria Operations appliance. Outside this workflow, the vulnerable functionality is not accessible.

VMware Aria Operations and the related platforms operate as central management planes with visibility into virtual machines, clusters, storage, and network components. Compromise of this layer gives an adversary access to a system that oversees large portions of the virtual infrastructure, enabling asset discovery, credential harvesting, and unauthorized changes across broad environments.

This creates risk for enterprises, service providers, and managed service providers that deploy VMware Aria Operations directly, as well as organizations using VMware Cloud Foundation and VMware telco platforms where Aria Operations is embedded. Multi-tenant deployments, where one Aria Operations instance monitors multiple customer environments, increase exposure if an attacker gains control of the management plane.

Successful exploitation enables unauthorized execution of attacker-controlled code on the Aria Operations appliance or integrated management components, with potential for lateral movement into connected virtualization and cloud infrastructure. In a worst-case scenario, a threat actor with persistent access to this management layer can manipulate workloads, disrupt services, and extract operational data across many systems.

Primary remediation relies on applying vendor patches for CVE-2026-22719 across VMware Aria Operations, VMware Cloud Foundation, VMware Telco Cloud Infrastructure, and VMware Telco Cloud Platform. When immediate patching is not possible, it is recommended to restrict network access to Aria Operations and related management components, remove direct internet exposure, enforce strong authentication and access controls for administrative interfaces, and segment these systems from general user networks.

Security operations teams can increase logging and monitoring around Aria Operations and integrated VMware management components, focusing on unexpected administrative actions, unusual process execution, and configuration changes initiated from atypical sources.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up