The United States Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability affecting VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalogue. This move confirms that the flaw, tracked as CVE-2026-22719, is currently being exploited in active cyber attacks.
VMware Aria Operations is a widely used enterprise monitoring platform designed to help organisations track the performance and health of their servers, networks, and cloud infrastructure. Because this tool sits at the heart of many corporate environments, a successful exploit can provide a malicious actor with significant leverage over an organisation’s entire digital estate.
Understanding the Risk: Remote Code Execution
The vulnerability is particularly concerning because it allows a malicious, unauthenticated actor to execute arbitrary commands. This can lead to full remote code execution (RCE) while a support-assisted product migration is in progress.
In simpler terms, an attacker could potentially take complete control of the affected system without needing any login credentials. Once they have gained this level of access, they could:
- Steal sensitive corporate or customer data.
- Deploy ransomware throughout the network.
- Disrupt critical business operations.
- Use the monitoring platform to pivot and attack other connected systems.
Essential Steps for Protection
Broadcom, which now owns VMware, has released security patches to address this flaw. For organisations that use VMware Aria Operations, the following strategies can help enhance your security posture against this threat:
- Prioritise Patching: Consider applying the official security patches released on 24 February as a matter of urgency. This is the most effective way to eliminate the vulnerability.
- Implement Temporary Workarounds: If your organisation is unable to apply the patches immediately, Broadcom has provided a temporary shell script workaround. This script must be executed as root on each Aria Operations appliance node to mitigate the risk.
- Monitor Migration Windows: Since the exploit is linked to support-assisted migrations, it is wise to exercise extra vigilance and monitoring during these specific maintenance windows.
- Review Access Controls: Ensure that access to your monitoring infrastructure is strictly limited to authorised personnel and that your network is segmented to prevent lateral movement in the event of a breach.
Why the KEV Catalogue Matters
When CISA adds a vulnerability to the KEV catalogue, it serves as a high-priority warning for the global cybersecurity community. It moves the flaw from a theoretical risk to a proven, active threat. While CISA specifically requires US federal agencies to address these issues by a set deadline in this case, 24 March 2026, it is a strong signal for private businesses worldwide to take identical precautions.
At this stage, specific details regarding the identity of the attackers or the full scale of the exploitation remain unknown. This lack of information makes proactive defence even more vital.
Strengthening Your Cyber Defences
Navigating the constant stream of new vulnerabilities and security patches can be a daunting task for any business. Ensuring your infrastructure is resilient against modern exploits requires expert knowledge and a proactive approach to risk management.
If your organisation uses VMware products and you have concerns about your current security posture, or if you require assistance with vulnerability management and penetration testing, contact the expert team at Vertex. We provide tailored solutions and strategic guidance to help protect your business, employees, and data from evolving cyber threats.