Overview
- CISA placed CVE-2026-22719 in its Known Exploited Vulnerabilities catalog on March 3, citing active exploitation and requiring Federal Civilian Executive Branch agencies to remediate by March 24, 2026.
- Broadcom disclosed and patched the issue on February 24 and published a temporary mitigation script, aria-ops-rce-workaround.sh, for organizations unable to update immediately.
- The vulnerability is a command injection that can allow an unauthenticated attacker to execute arbitrary commands during support-assisted product migration, potentially resulting in remote code execution.
- Broadcom says it is aware of reports of in-the-wild exploitation but cannot independently confirm them, and no technical exploit details have been publicly released.
- Fixed releases include VMware Aria Operations 8.18.6 and VMware Cloud Foundation and vSphere Foundation 9.0.2.0, with guidance urging prompt patching, restricted access, and post-patch credential rotation.