VMware has issued patches addressing several high- and medium-risk vulnerabilities in its Aria Operations, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure products.
The most critical vulnerability allows unauthenticated attackers to execute arbitrary commands on the underlying operating system. Another significant issue permits authenticated users to elevate their privileges to that of an administrator.
The vulnerabilities, identified as CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721, were reported to Broadcom privately. Currently, there is no evidence suggesting that these vulnerabilities have been exploited in the wild. However, it is worth noting that similar critical vulnerabilities in Aria Operations have been exploited previously, and enterprise virtualization infrastructure has been a target for state-sponsored threat actors.
Recommendations for Users
Broadcom recommends that customers upgrade to Aria Operations version 8.18.6 and VMware Cloud Foundation versions 5.2.3 or 9.0.2. The VMware Telco Cloud Platform and Telco Cloud Infrastructure are also affected, as they incorporate Aria Operations, which is essential for managing private and multicloud environments.
Details on Vulnerabilities
Command Injection and Privilege Escalation
CVE-2026-22719 is an unauthenticated command injection flaw potentially leading to remote code execution. Despite its severity, it has been rated high rather than critical because exploitation is only possible during support-assisted product migrations, reducing the likelihood of widespread attacks.
In comparison, a similar command injection flaw disclosed in 2023 for Aria Operations for Networks saw nearly 700,000 attempted attacks by security companies.
Cross-Site Scripting and Privilege Escalation
The second vulnerability, CVE-2026-22720, is characterized as a stored cross-site scripting (XSS) issue, rated high severity with a CVSS score of 8.0. This flaw allows privileged attackers to inject persistent scripts that can perform administrative actions by creating custom benchmarks on a deployment.
The third vulnerability is of moderate severity, rated 6.2, and could be exploited if attackers gain privileges in vCenter, allowing them access to Aria Operations. vCenter serves as the management platform for vSphere virtual environments, and this vulnerability could potentially lead to administrative privileges within Aria.
