CVE-2026-22719: Broadcom VMware Aria Operations Command Injection Vulnerability

Summary

Parameter	Value
CVE ID	CVE-2026-22719
Alert Source	CISA KEV - Active Exploitation
CVE Publication Year	2026
Date Published	2026-03-03
Vendor	Broadcom
Product	VMware Aria Operations
CVSS Score	8.1 (high)
EPSS Score	0.5% (percentile: 64%)
CISA KEV	Yes - confirmed active exploitation
Ransomware	Not confirmed
Remediation Deadline	2026-03-24

Vulnerability Description

Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support‑assisted product migration.

Required Actions

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Who Is Affected?

This vulnerability affects VMware Aria Operations by Broadcom. Check if your organization uses this software and requires updates.

Sources

• NVD - CVE-2026-22719
• CISA KEV Catalog
• FIRST EPSS

---

Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.