VMware Aria Operations Under Active Attack: CISA Orders Federal Agencies to Patch Immediately

If your organization runs VMware Aria Operations and you haven't patched yet, you're already behind. CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities catalog on March 3rd, which means this isn't theoretical anymore. Attackers are actively weaponizing this flaw in the wild.

The vulnerability itself is a command injection bug that allows an unauthenticated attacker to execute arbitrary commands on vulnerable systems. The especially nasty part? It can be exploited during support-assisted product migration, a scenario where many organizations might have their guard down thinking they're in a controlled maintenance window. An attacker who successfully exploits this flaw can achieve remote code execution, essentially gaining full control over the affected Aria Operations deployment.

For those unfamiliar with the product, VMware Aria Operations (formerly known as vRealize Operations or vROps) is the brains behind many enterprise virtualization monitoring deployments. It's the tool organizations use to optimize performance, plan capacity, and troubleshoot issues across their VMware estates. A compromised Aria Operations instance doesn't just mean one breached system. It means an attacker potentially has visibility into your entire virtualized infrastructure, understanding exactly what you're running, where, and how it's configured.

Broadcom, which acquired VMware and now manages its security advisories, published VMSA-2026-0001 addressing this issue. The fix is available in Aria Operations version 8.18.6. If you can't patch immediately, Broadcom has documented workarounds in the advisory, though given the active exploitation status, treating this as an emergency patch situation is the right call.

The timing here matters. Federal agencies bound by CISA's Binding Operational Directive 22-01 have until March 24th to remediate, but private organizations shouldn't take that as permission to wait three weeks. Once a vulnerability lands in the KEV catalog, it means threat actors have already figured out how to exploit it and are doing so successfully. Every day without a patch is another day of exposure.

What makes command injection vulnerabilities particularly dangerous is their flexibility. Unlike some exploits that have narrow use cases, command injection gives attackers the ability to run whatever they want on the target system. Download additional malware, exfiltrate data, pivot to other systems on the network, or simply lie in wait for a more opportune moment. The possibilities are limited only by the attacker's creativity and patience.

Organizations running Aria Operations should check their current version immediately. If you're not on 8.18.6 or later, prioritize this patch above nearly everything else in your queue. Also worth considering is whether your Aria Operations instance is exposed to the internet or accessible from less-trusted network segments. While the vulnerability doesn't require authentication, reducing the attack surface by limiting network access can provide an additional layer of protection while you work on getting patches deployed.

The bigger picture here is the continued targeting of infrastructure management tools. Attackers understand that compromising the systems that manage other systems provides outsized returns. One successful exploit can cascade into access across dozens or hundreds of managed endpoints. It's the same logic behind attacks on Active Directory, identity providers, and orchestration platforms. If you're not giving your infrastructure management tools the same security attention you give your crown jewel applications, now would be an excellent time to reconsider that approach.

Patch now. Ask questions later.