Latest
Vulnerabilities

VMware Patches Command Injection Vulnerability in Aria Operations

VMware Patches Command Injection Vulnerability in Aria Operations

VMware has issued patches addressing several high- and medium-risk vulnerabilities in its Aria Operations, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure products.

The most critical vulnerability allows unauthenticated attackers to execute arbitrary commands on the underlying operating system. Another significant issue permits authenticated users to elevate their privileges to that of an administrator.

The vulnerabilities, identified as CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721, were reported to Broadcom privately. Currently, there is no evidence suggesting that these vulnerabilities have been exploited in the wild. However, it is worth noting that similar critical vulnerabilities in Aria Operations have been exploited previously, and enterprise virtualization infrastructure has been a target for state-sponsored threat actors.

Recommendations for Users

Broadcom recommends that customers upgrade to Aria Operations version 8.18.6 and VMware Cloud Foundation versions 5.2.3 or 9.0.2. The VMware Telco Cloud Platform and Telco Cloud Infrastructure are also affected, as they incorporate Aria Operations, which is essential for managing private and multicloud environments.

Details on Vulnerabilities

Command Injection and Privilege Escalation

CVE-2026-22719 is an unauthenticated command injection flaw potentially leading to remote code execution. Despite its severity, it has been rated high rather than critical because exploitation is only possible during support-assisted product migrations, reducing the likelihood of widespread attacks.

In comparison, a similar command injection flaw disclosed in 2023 for Aria Operations for Networks saw nearly 700,000 attempted attacks by security companies.

Cross-Site Scripting and Privilege Escalation

The second vulnerability, CVE-2026-22720, is characterized as a stored cross-site scripting (XSS) issue, rated high severity with a CVSS score of 8.0. This flaw allows privileged attackers to inject persistent scripts that can perform administrative actions by creating custom benchmarks on a deployment.

The third vulnerability is of moderate severity, rated 6.2, and could be exploited if attackers gain privileges in vCenter, allowing them access to Aria Operations. vCenter serves as the management platform for vSphere virtual environments, and this vulnerability could potentially lead to administrative privileges within Aria.

More in Vulnerabilities & Patches

Critical Veeam Backup and Replication Bug Lets Any Domain User Run Code
Vulnerabilities

Critical Veeam Backup and Replication Bug Lets Any Domain User Run Code

Jul 13, 2026 2 min read
FFmpeg PixelSmash Flaw Turns Malicious Video Files Into Remote Code Execution
Vulnerabilities

FFmpeg PixelSmash Flaw Turns Malicious Video Files Into Remote Code Execution

Jul 11, 2026 4 min read
AI Cyberattacks: Two Years of Insane Vulnerabilities
Vulnerabilities

AI Cyberattacks: Two Years of Insane Vulnerabilities

Jun 30, 2026 8 min read
Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days
Vulnerabilities

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

Jun 10, 2026 3 min read