CISA adds VMware Aria Operations command-injection flaw to KEV, federal agencies ordered to patch

CISA on March 3 added CVE-2026-22719, a command-injection flaw in Broadcom’s VMware Aria Operations, to its Known Exploited Vulnerabilities catalog, citing reports of active exploitation and triggering a March 24 remediation deadline for Federal Civilian Executive Branch agencies under BOD 22-01. The addition compresses what security teams call a 21-day window to patch or implement mitigations for a platform that monitors servers, networks, and cloud infrastructure.

Broadcom disclosed and published fixes for the Aria vulnerabilities on February 24 in advisory VMSA-2026-0001. The company rates CVE-2026-22719 in the Important severity category despite a CVSSv3 base score listed as 8.1 in public reporting. Broadcom also acknowledged externally that “Broadcom is aware of reports of potential exploitation of CVE-2026-22719 in the wild, but we cannot independently confirm their validity.”

Security vendors and operations teams are treating the KEV listing as an escalation. Smartermsp’s advisory and VMware’s patch notes recommend upgrading Aria Operations to 8.18.6 or later, updating VMware Cloud Foundation to 9.0.2.0 or later, and applying Telco Cloud patches referenced in KB428241. For organizations that cannot apply updates immediately, TheHackerNews and others cite a published temporary mitigation: customers can “download and run a shell script ('aria-ops-rce-workaround.sh') as root from each Aria Operations Virtual Appliance node.”

The vulnerability’s operational trigger and attacker privileges remain points of disagreement in public reporting. Quoting Broadcom, TheHackerNews reported that “A malicious unauthenticated actor may exploit this issue to execute arbitrary commands, which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.” By contrast, Smartermsp’s advisory states more narrowly that “An authenticated attacker with network access to the Aria Operations setup can inject malicious strings into specific configuration parameters, resulting in Remote Code Execution (RCE).” Security teams must assume both scenarios until the vendor’s advisory language is confirmed in full.

Public technical details about exploit methods and attribution have not been released. As TheHackerNews put it, “There are currently no details on how the vulnerability is being exploited in the wild, who is behind it, and the scale of such efforts.” BleepingComputer reported contacting Broadcom for clarification and had not received a response at the time of its March 3 story.

Administrators should act on multiple fronts: apply Broadcom’s fixed releases, run the published workaround if immediate patching is impossible, and follow Smartermsp’s recommendation to ensure Aria Operations is isolated on a restricted management network and not exposed to the public internet. The KEV designation also places the flaw alongside other high-priority listings federal and enterprise defenders are now tracking, underscoring how quickly a disclosed bug can shift into an enforced remediation timeline.