CVE-2026-22719

Name of the Vulnerable Software and Affected Versions: VMware Aria Operations versions 8.0 through 8.18.5 and 9.0 through 9.0.1.

Description: VMware Aria Operations contains a command injection vulnerability that allows a malicious unauthenticated actor to execute arbitrary commands, potentially leading to remote code execution during support-assisted product migration. This vulnerability is actively exploited in the wild and has been added to CISA's KEV catalog.

Recommendations: Upgrade VMware Aria Operations to version 8.18.6 or later, or VMware Cloud Foundation to version 9.0.2.0 or later. If immediate patching is not possible, apply the workaround script provided by Broadcom.