The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that a vulnerability found in enterprise cloud software company VMware Aria Operations has been exploited in real-world attacks.

Dark Reading reported on March 5 local time that the vulnerability is CVE-2026-22719. It is a high-risk command-injection flaw with a CVSS score of 8.1 and exists in Aria Operations versions before 8.18.6. Broadcom, VMware's parent company, said in an official advisory that an unauthenticated malicious attacker could exploit the flaw to execute arbitrary commands and that it could lead to remote code execution during a product support migration.

The vulnerability was first disclosed on Feb. 24 along with two other flaws. Along with CVE-2026-22719, Aria Operations cross-site scripting bug CVE-2026-22720 (CVSS 8.0) and privilege escalation vulnerability CVE-2026-22721 (CVSS 6.2) were announced.

On March 3, CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) list. On the same day, Broadcom updated its advisory, saying it was aware of reports of possible exploitation of CVE-2026-22719 in real-world environments but had not independently confirmed it.

Affected versions are all Aria Operations version 8 releases up to and including 8.18.5 and all version 9 releases up to and including 9.0.1. A separate script-based temporary workaround is also provided for customers who have difficulty applying the patch.

Colin Hogge-Spears (콜린 호그-스피어스), senior director of solutions management at security company Black Duck, warned that the vulnerability carries the risk of taking over an entire virtual infrastructure at once. "An attacker who takes control of Aria does not take over just a single server," he said. "They get their hands on every system account and the network structure of everything Aria manages."