TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources СLOUD SECURITY APPLICATION SECURITY CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS NEWS VMware Aria Operations Bug Exploited, Cloud Resources at Risk Exploitation of the command injection flaw in VMware Aria Operations could grant an attacker broad acess to victims' cloud environments. Alexander Culafi,Senior News Writer, Dark Reading March 4, 2026 3 Min Read SOURCE: JHVEPHOTO VIA ALAMY STOCK PHOTO Another VMware vulnerability has been exploited in the wild, according to the Cybersecurity and Infrastructure Security Agency (CISA). CVE-2026-22719 is a high severity (CVSS 8.1) command injection vulnerability present in VMware Aria Operations versions prior to 8.18.6. According to VMware owner Broadcom in an advisory, "A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress." It was first disclosed and updated to 8.18.6. on Feb. 24 alongside two other flaws, Aria Operations cross-site scripting bug CVE-2026-22720 (CVSS 8.0) and privilege escalation vulnerability CVE-2026-22721 (CVSS 6.2). On March 3, CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog alongside a recent Qualcomm bug. The same day, Broadcom updated its advisory with a line, "UPDATE: Broadcom is aware of reports of potential exploitation of CVE-2026-22719 in the wild, but we cannot independently confirm their validity." Related:AI Agent Overload: How to Solve the Workload Identity Crisis Dark Reading contacted Broadcom for additional comment; the company reiterated the above. Though customers are urged to patch, a workaround also exists in the form of a script vulnerable customers can run in their environments. Vulnerable customers include those running Aria Operations version 8 up to and including 8.18.5, as well as Aria Operations version 9 up to and including 9.0.1. Unique Risks Surrounding Cloud Management Platforms Aria Operations is a unified IT management platform used for monitoring and managing a wide range of cloud environments. Although such tools are useful, they also act as a central point for a threat actor to access a swath of infrastructure due to the access these management products require. Collin Hogue-Spears, senior director of solution management at Black Duck, tells Dark Reading that a compromise against Aria Operations through a flaw like CVE-2026-22719, a basic command injection flaw that can grant unauthenticated root access to an instance, also compromises the entire virtual infrastructure at once, including credentials, network topology, monitoring, and more. "An attacker who takes Aria does not steal one server," Hogue-Spears says. "They inherit the credentials and network topology for every system Aria manages. They see what your SOC sees. They control what your SOC trusts. The first thing a capable attacker does after compromising a monitoring platform: make that platform report that nothing happened. Your team watches clean dashboards while the attacker harvests vCenter service accounts, maps every ESXi host, and stages ransomware deployment across your entire virtual estate. This is not speculative. Scattered Spider, Qilin, and Lazarus Group all have documented campaigns targeting VMware management infrastructure precisely because of this outsized access." Related:The Tug-of-War Over Firewall Backlogs in the AI-Driven Development Era Another concern is that although exploitation can only occur during a migration window, the command injection requires no authentication and grants root access. It's because of this that Hogue-Spears recommends patching to a fixed version (Aria Operations 8.18.6 or VCF 9.0.2.0) today, or deploying the workaround immediately if patching would take longer than 48 hours. CVE-2026-22719 is the latest VMware flaw to come under attack. Last March, VMware disclosed three zero-day vulnerabilities, including CVE-2025-22224, a critical bug affecting VMware ESXi and Workstation. In September, reseachers found evidence that a critical privilege escalation flaw impacting Aria Operations and VMware Tools, tracked as CVE-2025-41244, had been exploited for nearly a year. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like СLOUD SECURITY Google Gemini Flaw Turns Calendar Invites Into Attack Vector by Elizabeth Montalbano, Contributing Writer JAN 20, 2026 СLOUD SECURITY Fake AI Chrome Extensions Steal 900K Users' Data by Alexander Culafi JAN 08, 2026 СLOUD SECURITY Critical 'MongoBleed' Bug Under Attack, Patch Now by Jai Vijayan, Contributing Writer JAN 05, 2026 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice THREAT INTELLIGENCE As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks byElizabeth Montalbano MAR 3, 2026 6 MIN READ ICS/OT SECURITY Vehicle Tire Pressure Sensors Enable Silent Tracking byJai Vijayan MAR 3, 2026 3 MIN READ СLOUD SECURITY AI Agent Overload: How to Solve the Workload Identity Crisis byAlexander Culafi MAR 3, 2026 4 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use