What CVE-2026-22719 is
CVE-2026-22719 is an OS command injection vulnerability in VMware Aria Operations, Broadcom’s operations monitoring and management platform that used to be called vRealize Operations. The flaw lets an unauthenticated attacker run arbitrary commands on the server, which can escalate to remote code execution (RCE) and full compromise of the affected instance.
Broadcom’s official description pins down when the bug is exploitable: while a support-assisted product migration is in progress. During that process, attacker-controlled input never gets sanitized and ends up running as a command on the underlying system.
Who is affected
Organizations running VMware Aria Operations (Broadcom). Aria Operations usually sits in corporate virtualization environments, watching the performance, capacity and health of vSphere infrastructure, so compromising this component hands an attacker a privileged foothold inside the data center.
Broadcom’s advisory (VMSA-2026-0001) bundles this flaw with two other vulnerabilities fixed in the same batch, tracked as CVE-2026-22720 and CVE-2026-22721.
Severity
Broadcom rates the issue in the “Important” severity range, with a maximum CVSS v3 score of 8.1 (high). The score comes from three factors stacking up: a network vector, no authentication required, and the chance to land code execution on the server.
What matters most is that this is not a theoretical risk: the flaw has been exploited in real-world attacks. Broadcom said it was aware of reports of potential exploitation in the wild, though it could not independently confirm them. The confirmation came through CISA, which added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog on March 3, 2026 and set a remediation deadline for U.S. federal agencies of March 24, 2026.
Mitigation and patch
Broadcom shipped the fixes on February 24, 2026 through advisory VMSA-2026-0001. Here is what it recommends:
- Apply the patch for your version, following the “Fixed Version” column of the Response Matrix in Broadcom’s official advisory.
- If you cannot patch right away, apply the temporary workaround documented in the “Workarounds” column of that same matrix.
- Treat assisted migration as a sensitive window: since the condition triggers during support-assisted migrations, coordinate and watch those processes closely until the patch is in place.
- Restrict network access to the Aria Operations interface and review logs for signs of anomalous commands.
With a flaw that is actively exploited and listed in CISA’s KEV catalog, the sensible move is to patch as a priority instead of waiting for the official deadline.