CVE-2026-22719 — Broadcom VMware Aria Operations

Broadcom VMware Aria Operations Command Injection Vulnerability

Added to KEV

2026-03-03

Federal due date

2026-03-24

Vendor

Broadcom

Product

VMware Aria Operations

EPSS

83.6th percentile (score 0.019, as of 2026-06-08)

NVD CVSS v3.1

—

Ransomware use

Unknown

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2026-22719

CISA short description

Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support‑assisted product migration.

Required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.