Cyber Posture

CVE-2026-22719

HighCISA KEVActive Exploitation

Published: 25 February 2026

Published
25 February 2026
Modified
04 March 2026
KEV Added
03 March 2026
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0209 84.2th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Description

VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress. To remediate…

more

CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001 Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the command injection vulnerability by requiring timely identification, testing, and deployment of patches specified in VMSA-2026-0001 for VMware Aria Operations.

SI-10 Information Input Validation good match
prevent

Prevents command injection exploitation by enforcing input validation and error handling at entry points used during support-assisted product migration.

SI-5 Security Alerts, Advisories, and Directives good match
prevent

Ensures awareness of and response to security advisories like VMSA-2026-0001 and CISA KEV catalog entries for this known exploited vulnerability in VMware Aria Operations.

Security SummaryAI

VMware Aria Operations is affected by CVE-2026-22719, a command injection vulnerability (CWE-77) with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Published on 2026-02-25, the flaw allows arbitrary command execution, potentially leading to remote code execution specifically while support-assisted product migration is in progress.

A malicious unauthenticated actor can exploit this vulnerability over the network with no privileges required and no user interaction needed, though it involves high attack complexity. Successful exploitation enables execution of arbitrary commands on the affected VMware Aria Operations instance, resulting in high confidentiality, integrity, and availability impacts.

Broadcom's VMSA-2026-0001 advisory, detailed in the Response Matrix at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947, recommends applying patches listed in the 'Fixed Version' column. Workarounds are also documented in the 'Workarounds' column of the same matrix.

The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, indicating real-world exploitation activity. Additional details are available in Broadcom's knowledge base at https://knowledge.broadcom.com/external/article/430349 and release notes at https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html.

Details

CWE(s)
CWE-77
KEV Date Added
03 March 2026

Affected Products

vmware
aria operations
8.0 — 8.18.6
vmware
cloud foundation
4.0 — 5.2.3 · 9.0 — 9.0.2.0
vmware
telco cloud infrastructure
2.2 — 3.0
vmware
telco cloud platform
4.0 — 5.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2026-22719 is a command injection vulnerability in a network-accessible VMware Aria Operations instance (AV:N/PR:N), enabling unauthenticated remote code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References