5 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-22719 is a high-severity command injection vulnerability in VMware Aria Operations. The flaw exists in support-assisted product migration functionality, where insufficient input validation allows a malicious actor to inject and execute arbitrary system commands. Confirmed exploitation activity has been observed, and the vulnerability is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Successful exploitation could result in remote code execution and compromise of monitoring and infrastructure management systems.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Authentication Bypass in Cisco Catalyst
SD-WAN Controller and Manager
CVSS Score: 8.1 (High, CVSS v3.1)
Identifier: CVE-2026-22719
PoC or Exploitation:
There is confirmed exploitation of the vulnerability based on CISA KEV.
Update/ Patch:
VMware has released fixes for CVE-2026-22719 as part of security advisory VMSA-2026-0001. Organizations should apply the security updates listed in the "Fixed Version" column of the VMware response matrix for their affected products.
Official VMware security advisory and patch guidance:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
Description:
CVE-2026-22719 is a command injection vulnerability in VMware Aria Operations. The flaw exists in support-assisted product migration functionality, where insufficient input validation allows a malicious actor to inject and execute arbitrary system commands.
Mitigation Recommendation:
Apply the VMware security updates referenced in advisory VMSA-2026-0001 immediately across all affected products and nodes.
Restrict access to VMware Aria Operations management interfaces and migration-related endpoints to trusted internal networks only.
