Another VMware vulnerability has been exploited in the wild, according to the Cybersecurity and Infrastructure Security Agency (CISA).
CVE-2026-22719 is a high severity (CVSS 8.1) command injection vulnerability present in VMware Aria Operations versions prior to 8.18.6. According to VMware owner Broadcom in an advisory, “A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.”
It was first disclosed and updated to 8.18.6. on Feb. 24 alongside two other flaws, Aria Operations cross-site scripting bug CVE-2026-22720 (CVSS 8.0) and privilege escalation vulnerability CVE-2026-22721 (CVSS 6.2).
On March 3, CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog alongside a recent Qualcomm bug. The same day, Broadcom updated its advisory with a line, “UPDATE: Broadcom is aware of reports of potential…
