Photo by BleepingComputer on BleepingComputer
What happened
CISA added CVE-2026-22719 (VMware Aria Operations command injection) to the Known Exploited Vulnerabilities (KEV) catalog. The listing indicates active exploitation and gives U.S. federal civilian agencies a remediation deadline of March 24, 2026.
Broadcom says it has seen exploitation reports and has published patches and a workaround for organizations that cannot patch immediately.
Why this matters
- KEV inclusion is a strong signal that exploitation is happening in the wild.
- The flaw is unauthenticated and can lead to remote code execution during support-assisted migration workflows.
- Aria Operations is commonly connected to broader infrastructure telemetry, making it a high-value foothold.
What defenders should do now
- Patch immediately using Broadcom/VMware guidance.
- If patching is delayed, apply the temporary vendor workaround on all affected appliance nodes.
- Restrict management-plane exposure and review any internet-facing Aria components.
- Hunt for suspicious command execution and migration-service abuse indicators.
- Prioritize this CVE in vulnerability SLAs due to active exploitation status.
Bottom line
Treat CVE-2026-22719 as an active, high-priority risk. If VMware Aria Operations is in your environment, this should be in your immediate patch queue.