CISA Warns of Active VMware RCE Attacks
▼ Summary
– CISA has added a VMware Aria Operations vulnerability (CVE-2026-22719) to its Known Exploited Vulnerabilities catalog, indicating it is being used in attacks.
– The vulnerability is a command injection flaw that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution.
– Broadcom, which owns VMware, patched the flaw on February 24, 2026, and provided a temporary workaround script for organizations unable to immediately update.
– While Broadcom is aware of reports of exploitation, it states it cannot independently confirm these claims, and no technical details of the attacks are public.
– Federal civilian agencies are required by CISA to address this vulnerability by March 24, 2026, by applying the patch or the provided workaround.
A critical security flaw within VMware’s enterprise monitoring platform is now under active exploitation, prompting urgent action from federal cybersecurity authorities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added the vulnerability, identified as CVE-2026-22719, to its Known Exploited Vulnerabilities catalog. This designation confirms that malicious actors are leveraging the weakness in real-world attacks. While Broadcom, VMware’s parent company, acknowledges these reports, it states it cannot independently verify the claims. The issue affects VMware Aria Operations, a tool organizations rely on to monitor the performance and health of their servers, networks, and cloud environments.
Originally disclosed and patched by VMware on February 24, 2026, the flaw was rated as Important with a CVSS severity score of 8.1. Its addition to the KEV catalog carries significant weight, as CISA now mandates that all federal civilian executive branch agencies apply the provided patches or mitigations by March 24, 2026. This binding directive underscores the serious risk the vulnerability poses to government networks and serves as a critical warning for all enterprises using the affected software.
The vulnerability itself is a command injection flaw that permits an unauthenticated attacker to execute arbitrary commands on vulnerable systems. Broadcom’s advisory clarifies the specific danger: “A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.” This means an attacker could potentially take full control of the monitoring appliance without needing any login credentials, provided the migration feature is active. Technical details on the exact methods of exploitation remain undisclosed to the public at this time.
In response to the threat, Broadcom has made both permanent fixes and a temporary workaround available. Security patches were released concurrently with the initial advisory on February 24. For organizations that cannot apply the patches immediately, a mitigation script named “aria-ops-rce-workaround.sh” has been provided. This script must be run with root privileges on each node of the Aria Operations appliance. Its function is to disable specific components of the migration process that are essential for exploitation. This includes removing a key service script and a related sudoers entry that allowed a workflow script to run as root without requiring a password.
System administrators are strongly urged to apply the available VMware Aria Operations security patches or implement the provided workarounds without delay. The confirmation of active exploitation by CISA transforms this from a theoretical risk into an immediate operational threat. Taking prompt action is essential to secure network monitoring infrastructure and prevent potential remote code execution attacks that could compromise broader enterprise environments.
(Source: Bleeping Computer)
