Broadcom has released security advisory VMSA-2026-0001 on February 24, 2026, disclosing three vulnerabilities in VMware Aria Operations that could allow attackers to execute arbitrary commands remotely.
The flaws affect VMware Aria Operations, VMware Cloud Foundation, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure, and patches are now available for all impacted versions.
Vulnerabilities Overview
The most critical flaw, tracked as CVE-2026-22719, is a command injection vulnerability with a CVSSv3 score of 8.1.
A malicious unauthenticated actor can exploit this issue to execute arbitrary commands and achieve remote code execution (RCE) in VMware Aria Operations while a support-assisted product migration is in progress.
This makes it particularly dangerous as it requires no credentials to trigger. A workaround for this specific flaw is documented in Broadcom Knowledge Base article KB430349.
The second vulnerability, CVE-2026-22720, is a stored cross-site scripting (XSS) flaw scored at 8.0.
An attacker with privileges to create custom benchmarks can inject malicious scripts to perform unauthorized administrative actions within the Aria Operations interface.
This vulnerability was reported by Tobias Anders of Deutsche Telekom Security GmbH.
The third flaw, CVE-2026-22721, is a privilege escalation vulnerability with a CVSSv3 score of 6.2.
A malicious actor with existing privileges in vCenter can leverage this issue to gain full administrative access in VMware Aria Operations.
According to Broadcom, this vulnerability was discovered by Sven Nobis and Lorin Lehawany of ERNW Enno Rey Netzwerke GmbH. All three vulnerabilities were privately reported to Broadcom before public disclosure.
| CVE ID | CVSS Score | Severity | Vulnerability Type | Attack Vector |
|---|---|---|---|---|
| CVE-2026-22719 | 8.1 | Important | Command Injection / RCE | Network (Unauthenticated) |
| CVE-2026-22720 | 8.0 | Important | Stored Cross-Site Scripting | Network (Low Privileges) |
| CVE-2026-22721 | 6.2 | Moderate | Privilege Escalation | Network (High Privileges) |
Affected Products & Fixes
| Product | Affected Version | Fixed Version |
|---|---|---|
| VMware Aria Operations | 8.x | 8.18.6 |
| VMware Cloud Foundation (VCF Operations) | 9.x.x.x | 9.0.2.0 |
| VMware Cloud Foundation (Aria Operations) | 5.x, 4.x | KB92148 |
| VMware Telco Cloud Platform | 5.x, 4.x | KB428241 |
| VMware Telco Cloud Infrastructure | 3.x, 2.x | KB428241 |
Broadcom strongly recommends that administrators apply the available patches immediately. Organizations running VMware Aria Operations in any environment should prioritize upgrading to the fixed versions listed above.
The command injection flaw (CVE-2026-22719) poses the highest risk due to its unauthenticated remote exploitation potential, and a temporary workaround via KB430349 is available for environments where immediate patching is not feasible.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
