VMware has released patches for several high- and medium-risk vulnerabilities that impact its Aria Operations, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure products.
The most serious of these flaws allows unauthenticated attackers to execute arbitrary commands on the underlying OS, while another gives authenticated users the ability to elevate to administrator privileges.
The issues — CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721 — were privately reported to Broadcom and there is no evidence of in-the-wild exploitation so far. However, critical Aria Operations vulnerabilities have been exploited in the past and enterprise virtualization infrastructure has been targeted by state-sponsored threat actors.
Broadcom advises customers to upgrade to Aria Operations 8.18.6, as well as versions 5.2.3 or 9.0.2 VMware Cloud Foundation (VCF). VMware Telco Cloud Platform and Telco Cloud Infrastructure are also impacted because they include Aria Operations, the IT management component for private and multicloud environments.
Command injection and privilege escalation
Even though CVE-2026-22719 is an unauthenticated command injection flaw that can lead to remote code execution, the vulnerability is rated high rather than critical severity because it can only be exploited when support-assisted product migration is in progress, making widespread exploitation less likely.
By comparison in 2023 following the disclosure of a command injection flaw in Aria Operations for Networks, security companies detected almost 700,000 attack attempts.
The second vulnerability, CVE-2026-22720, is described as a stored cross-site scripting (XSS) issue that is also rated high severity, with a score of 8.0 on the CVSS scale. This flaw allows attackers with privileges to create custom benchmarks on a deployment to inject persistent scripting that would perform administrative actions.
The third flaw is a moderate severity issue with a rating of 6.2 that can be exploited if attackers obtain privileges in vCenter that allow them to access Aria Operations. vCenter is the management platform for vSphere virtual environments, and this vulnerability is considered a privilege escalation issue because it could lead to administrative privileges in Aria.
No Responses