Broadcom Patches VMware Aria Operations Flaws Enabling RCE During Support-Assisted Migrations
Broadcom issued advisory VMSA-2026-0001 for VMware Aria Operations (formerly vRealize Operations), warning of three vulnerabilities affecting Aria Operations and bundled platforms including VMware Cloud Foundation and VMware Telco Cloud. The most severe issue, CVE-2026-22719 (CVSS 8.1), is a command injection flaw that can be exploited by an unauthenticated attacker to execute arbitrary commands and potentially achieve remote code execution specifically while a support-assisted product migration is in progress. Broadcom released patches and also documented a workaround for CVE-2026-22719 in its response matrix/KB guidance.
The advisory also covers CVE-2026-22720 (CVSS 8.0), a stored XSS issue where a user with privileges to create custom benchmarks can inject script to perform administrative actions, and CVE-2026-22721 (CVSS 6.2), a privilege escalation path where a user with vCenter access to Aria Operations can elevate to administrative control. Researchers Sven Nobis and Lorin Lehawany of ERNW were credited with reporting at least part of the findings. Impacted deployments include Aria Operations 8.x and related bundles across Cloud Foundation and Telco Cloud product lines; Broadcom’s fixed versions include updates such as Aria Operations 8.18.6 and Cloud Foundation 9.0.2.0, and organizations are advised to prioritize upgrades due to the lack of workarounds for the XSS and privilege-escalation issues.
Timeline
Feb 25, 2026
CVE-2026-22719 vulnerability record is published
On 2026-02-25, a public vulnerability record for CVE-2026-22719 described the unauthenticated command injection flaw in VMware Aria Operations as leading to arbitrary command execution and possible remote code execution during support-assisted migration. The record pointed users to Broadcom's fixed-version matrix and workaround guidance.
Feb 24, 2026
Canadian Centre for Cyber Security issues alert on VMware advisory
On 2026-02-24, the Canadian Centre for Cyber Security published alert AV26-162 referencing VMSA-2026-0001 and warning that versions prior to Aria Operations 8.18.6 and Cloud Foundation/vSphere Foundation 9.0.2.0 were affected. It urged administrators to review the advisory and apply the necessary updates.
Feb 24, 2026
Broadcom releases patches for affected VMware Aria and foundation products
Broadcom released fixes for the disclosed flaws, including Aria Operations 8.18.6 and VMware Cloud Foundation and vSphere Foundation 9.0.2.0. The advisory noted only a limited workaround for CVE-2026-22719, increasing the need to apply updates for the remaining issues.
Feb 24, 2026
Broadcom discloses VMware Aria Operations vulnerabilities in VMSA-2026-0001
On 2026-02-24, Broadcom published security advisory VMSA-2026-0001 covering three vulnerabilities in VMware Aria Operations and related VMware Cloud Foundation and vSphere Foundation products. The issues were tracked as CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721, including command injection, stored XSS, and privilege escalation impacts.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
1 more from sources like broadcom product advisories
Related Stories
Pwn2Own VMware Hypervisor Escape and Privilege Escalation Vulnerabilities
Broadcom VMware issued fixes for multiple **Pwn2Own-disclosed** local privilege escalation flaws affecting **ESXi** and **Workstation**, where attackers with code execution inside a guest can potentially execute arbitrary code in the **hypervisor** context. The disclosed issues include **CVE-2025-41236** in the **VMXNET3** virtual device on ESXi, caused by an integer overflow; **CVE-2025-41237** in **VMCI** on ESXi, caused by an integer underflow; and **CVE-2025-41238** in the **PVSCSI** virtual device on Workstation, caused by improper validation of user-controlled length data leading to a heap-based buffer overflow. All three advisories assign a **CVSS 8.2** score and describe the same exploitation precondition: the attacker must already be able to run high-privileged code on the guest OS. The Aria Operations privilege-escalation research is a **different VMware product issue** and does not describe the same disclosure set. That separate report covers **CVE-2025-41245** and **CVE-2026-22721**, where a vCenter user mapped by default to Aria’s **PowerUser** role could escalate to an Aria administrator and potentially gain access across integrated VMware environments. By contrast, the relevant Pwn2Own advisories focus specifically on guest-to-hypervisor escape paths in ESXi and Workstation, with Broadcom publishing updates through the same security advisory channel and crediting researchers from **STAR Labs**, **Synacktiv**, and **REverse Tactics** for the findings.
1 months ago
Critical RCE Flaws Disclosed in Ivanti CSA and VMware vCenter
Critical vulnerabilities were disclosed in **Ivanti Cloud Services Application (CSA)** and **VMware vCenter Server** products, exposing enterprise management platforms to remote compromise. Ivanti said CSA `5.0.2` and earlier contain three flaws—`CVE-2024-11639`, `CVE-2024-11772`, and `CVE-2024-11773`—that can enable authentication bypass, remote code execution, and arbitrary SQL query execution through the administrator browser console, with the most severe issues rated **CVSS 10.0**. Ivanti released fixes in CSA `5.0.3` and urged customers to update immediately. VMware also disclosed two vulnerabilities affecting **vCenter Server** and **VMware Cloud Foundation**: `CVE-2024-38812`, a heap overflow that can allow arbitrary code execution, and `CVE-2024-38813`, which can enable privilege escalation to root. The flaws affect vCenter Server `7.0` and `8.0` as well as VMware Cloud Foundation `4.x` and `5.x`, and can be exploited remotely over the network using specially crafted packets. In both vendor notices, no active exploitation had been confirmed at the time of disclosure, but organizations and service providers were advised to apply vendor-fixed versions without delay because successful attacks could result in full administrative compromise.
1 weeks ago
CISA Mandates Patching of VMware Tools Privilege Escalation Vulnerability Exploited by Chinese Threat Actors
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to urgently patch a high-severity local privilege escalation vulnerability, tracked as CVE-2025-41244, affecting Broadcom's VMware Aria Operations and VMware Tools. This flaw allows attackers with non-administrative access to a virtual machine, when managed by Aria Operations with SDMP enabled, to escalate privileges to root. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog after confirmation that it has been actively exploited in the wild, with exploitation attributed to the Chinese state-sponsored group UNC5174 since October 2024. Federal Civilian Executive Branch agencies have been given a three-week deadline to apply patches, and all organizations are strongly urged to prioritize remediation due to the significant risk posed by this vulnerability. Broadcom patched CVE-2025-41244 one month prior to CISA's directive, and proof-of-concept code demonstrating exploitation has been publicly released. The vulnerability is considered a frequent attack vector for malicious cyber actors, and CISA's Binding Operational Directive 22-01 requires agencies to apply mitigations or discontinue use if patches are unavailable. While the directive is mandatory for federal agencies, CISA recommends that all organizations, regardless of sector, address the vulnerability immediately to prevent potential compromise of virtualized environments managed by VMware Tools and Aria Operations.
1 months ago