The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE‑2026‑22719 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by March 24, 2026. This marks the vulnerability as actively exploited in attacks, elevating its urgency for enterprise defenders.
The Vulnerability
- Component: VMware Aria Operations (enterprise monitoring platform).
- Type: Command injection.
- Impact: Unauthenticated attackers can execute arbitrary commands, potentially leading to remote code execution (RCE).
- Context: Exploitable during support‑assisted product migration.
- Severity: CVSS score 8.1 (Important).
Timeline
- Feb 24, 2026: Broadcom disclosed and patched CVE‑2026‑22719 in advisory VMSA‑2026‑0001.
- Mar 3, 2026: CISA added the flaw to the KEV catalog, mandating patching for federal civilian agencies.
- Broadcom update: Acknowledged reports of exploitation but could not independently confirm.
Exploitation Risk
- Unauthenticated access: No credentials required for exploitation.
- Command execution: Attackers can run arbitrary commands with root privileges.
- Operational impact: Compromise of monitoring infrastructure could cascade into broader server, network, and cloud visibility loss.
Mitigation
- Patch immediately: Apply VMware’s February 24 security updates.
- Temporary workaround: Run
aria-ops-rce-workaround.shas root on each appliance node.- Disables vulnerable migration components.
- Removes risky sudoers entry (
vmware-casa-workflow.shrunning as root without password).
- Monitoring: Watch for suspicious command execution attempts during migration processes.
Final Thought
The addition of CVE‑2026‑22719 to CISA’s KEV catalog underscores a critical truth: monitoring platforms are high‑value targets. For leaders, the takeaway is clear: patching isn’t optional — it’s urgent. Organizations must treat monitoring infrastructure as part of their attack surface and ensure rapid remediation when vulnerabilities are flagged as exploited.
Leave a Reply