Critical VMware Aria Operations Flaw Allows RCE During System Upgrades

For enterprise IT teams, VMware Aria Operations (formerly vRealize Operations) acts as the central nervous system for monitoring cloud and virtual environments. However, a new security advisory from Broadcom warns that this critical management tool harbors multiple vulnerabilities—including a severe command injection flaw that can be triggered during routine system migrations.

The advisory details three distinct vulnerabilities—CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721—affecting VMware Aria Operations, VMware Cloud Foundation, and VMware Telco Cloud infrastructure.

The most pressing threat highlighted in the report is CVE-2026-22719, a command injection vulnerability carrying a high-severity CVSSv3 base score of 8.1.

“A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress,” reads the advisory.

This means that during the exact window when IT teams are moving or upgrading their infrastructure, an attacker lurking on the network could hijack the process to achieve remote code execution (RCE) without needing a password.

While the command injection requires a specific migration window, a second vulnerability, CVE-2026-22721, presents a more persistent internal threat.

The second flaw, tracked as CVE-2026-22721, allows a user who already possesses lower-level access to escalate their privileges and seize total control of the Aria Operations environment. The researchers who discovered the issue—Sven Nobis and Lorin Lehawany of ERNW Enno Rey Netzwerke GmbH—demonstrated how access in one part of the VMware ecosystem could be weaponized against another.

“A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations,” the advisory states.

The third flaw is CVE-2026-22720, identified as a stored Cross-Site Scripting (XSS) vulnerability, which could allow attackers to inject malicious scripts into the application’s interface.

Broadcom has released official patches to close these security gaps. Administrators running VMware Aria Operations 8.x are urged to upgrade to version 8.18.6. Users operating on VMware Cloud Foundation 9.x.x.x should apply version 9.0.2.0.

For organizations unable to patch the command injection vulnerability (CVE-2026-22719) immediately, Broadcom has provided a specific workaround documented in Knowledge Base article KB430349. However, the advisory explicitly notes that there is no workaround for the vCenter privilege escalation flaw (CVE-2026-22721), making prompt patching the only true defense.