Attackers Exploit VMware Aria Operations Command‑Injection Flaw for Unauthorized Access

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high‑alert warning about a critical vulnerability in VMware Aria Operations. Attackers are actively exploiting it to gain unauthorized access to cloud environments.

VMware Aria Operations is an intelligent IT operations management platform designed to give organizations unified, full‑stack visibility across physical, virtual, and multi‑cloud environments. It uses AI‑driven analytics to monitor performance, detect anomalies, optimize capacity, and automate remediation. This service helps teams proactively maintain system health, balance workloads, and reduce operational complexity.

How does the command‑injection flaw work?

CVE‑2026‑22719 is a high‑severity command‑injection vulnerability in VMware Aria Operations that allows an unauthenticated attacker to run arbitrary system commands during a support‑assisted migration process, which potentially leads to full remote code execution. It affects versions prior to 8.18.6 and has been added to CISA’s Known Exploited Vulnerabilities catalog following reports of active exploitation. This security flaw was disclosed alongside the cross‑site scripting bug (CVE‑2026‑22720) and a privilege escalation issue (CVE‑2026‑22721).

“A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress,” CISA explained.

Broadcom has acknowledged the reports of potential exploitation but hasn’t independently verified them. The company has urged affected customers to patch immediately or apply a temporary script‑based workaround in their environments.

Risks of lateral movement and operational disruption

A compromise of this security flaw can have serious consequences because VMware Aria Operations functions as a central management point for an organization’s virtual and cloud infrastructure. Attackers could exploit this command‑injection flaw to gain unauthenticated root‑level access, which in turn exposes credentials, network topology, and monitoring data for every system the platform manages. It essentially gives attackers the same broad visibility and control as the organization’s own Security Operations Center (SOC).

Additionally, this intrusion can enable deeper lateral movement, which allows threat actors to manipulate infrastructure, disrupt services, or deploy additional malicious tools across interconnected environments. Aria Operations integrates widely across cloud and virtual systems, and a breach can compromise individual servers as well as the entire operational ecosystem. Eventually, it increases the risk of data theft, operational outages, and long‑term persistence within the network.