CVE-2026-22719

Warnung

Medienbericht

EPSS 1.98%
Veröffentlicht 25.02.2026 19:18:59
Zuletzt bearbeitet 04.03.2026 15:08:13
Quelle security@vmware.com
CVE-Watchlists
Login
Unerledigt
Login

VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress. 

To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001 

Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

VMware ≫ Aria Operations Version >= 8.0 < 8.18.6

VMware ≫ Cloud Foundation Version >= 4.0 < 5.2.3

VMware ≫ Cloud Foundation Version >= 9.0 < 9.0.2.0

VMware ≫ Telco Cloud Infrastructure Version >= 2.2 <= 3.0

VMware ≫ Telco Cloud Platform Version >= 4.0 <= 5.1

03.03.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Broadcom VMware Aria Operations Command Injection Vulnerability

Schwachstelle

Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support‑assisted product migration.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.98%	0.834

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@vmware.com	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://www.heise.de/news/Angriffe-auf-VMware-Aria-Operations-beobachtet-11198060.html

Medienbericht

heise Security

04.03.2026 08:55

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

Patch

Vendor Advisory

https://knowledge.broadcom.com/external/article/430349

Vendor Advisory

Mitigation

https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html

Release Notes