• Broadcom has released patches for several vulnerabilities affecting VMware Aria Operations, including high-severity flaws.The most important of the newly patched vulnerabilities based on CVSS score (8.1) is CVE-2026-22719, a command injection issue that can be exploited by an unauthenticated attacker.“A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress,” Broadcom explained in itsadvisory.Another high-severity issue patched in Aria Operations (with a CVSS score of 8.0) is CVE-2026-22720, a stored cross-site scripting (XSS) flaw that can allow an attacker with permission to create custom benchmarks to inject scripts to perform administrative actions.The third and last vulnerability patched with the latest round of updates is CVE-2026-22721, a medium-severity privilege escalation issue that can be exploited to obtain administrative access.Patches for the vulnerabilities are included in version 9.0.2.0 of VMware Cloud Foundation and VMware vSphere Foundation, and version 8.18.6 of Aria Operations.Advertisement. • Scroll to continue reading.Broadcom’s advisory does not mention anything about in-the-wild exploitation. • However, it’s not uncommon for threat actors toexploit VMware product vulnerabilities.In addition, Broadcom has been known not to include an in-the-wild exploitation warning in its initial advisory, even forlong-exploited zero-days.Related:High-Severity Vulnerabilities Patched in VMware Aria Operations, NSX, vCenterRelated:2024 VMware Flaw Now in Attackers’ CrosshairsRelated:VMware Patches High-Severity Vulnerabilities in Aria Operations The most important of the newly patched vulnerabilities based on CVSS score (8.1) is CVE-2026-22719, a command injection issue that can be exploited by an unauthenticated attacker.“A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which

Article Summaries:

  • Broadcom has issued patches for three high‑severity vulnerabilities in VMware Aria Operations. The most critical flaw, CVE‑2026‑22719 (CVSS 8.1), is a command‑injection bug that allows unauthenticated attackers to run arbitrary commands, potentially leading to remote code execution during support‑assisted migrations. CVE‑2026‑22720 (CVSS 8.0) is a stored cross‑site scripting (XSS) vulnerability that lets users with benchmark‑creation rights inject scripts to perform administrative actions. The third flaw, CVE‑2026‑22721 (CVSS 6.0), is a privilege‑escalation issue that can grant administrative access. Patches are included in VMware Cloud Foundation 9.0.2.0, vSphere Foundation 9.0.2.0, and Aria Operations 8.18.6. Broadcom’s advisory does not report any in‑the‑wild exploitation yet.

Sources: