CVE-2026-22719

HIGH CISA KEV EPSS 96.7%
Published Feb 25, 20264mo ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Feb 25, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Mar 3, 2026 3mo ago
KEV Due Mar 24, 2026 98d overdue

Description

VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.  To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001  Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

CISA Known Exploited Overdue 98d
Added
Mar 3, 2026
Due
Mar 24, 2026

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability
96.7% percentile
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available

Weaknesses 1

CWE-77 Command Injection Injection

Affected Products 5

VendorProductVersionRange
vmwarearia_operations*≥8.0  –  <8.18.6
vmwarecloud_foundation*≥4.0  –  <5.2.3
vmwarecloud_foundation*≥9.0  –  <9.0.2.0
vmwaretelco_cloud_infrastructure*≥2.2  –  ≤3.0
vmwaretelco_cloud_platform*≥4.0  –  ≤5.1

References 4

  • knowledge.broadcom.com https://knowledge.broadcom.com/external/article/430349
    MitigationVendor Advisory
  • support.broadcom.com https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
    PatchVendor Advisory
  • techdocs.broadcom.com https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html
    Release Notes
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22719
    US Government Resource

Remediation

  • support.broadcom.com https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
    PatchVendor Advisory