On February 24, 2026, Broadcom released a critical security advisory addressing three distinct vulnerabilities in VMware Aria Operations. These flaws—ranging from Command Injection to Privilege Escalation—can compromise the confidentiality, integrity, and administrative control of affected systems. Immediate patching is required to prevent widespread infrastructure compromise. Review this Cybersecurity Threat Advisory for more details on how to protect your environment.
What is the threat?
Three vulnerabilities have been identified within VMware Aria Operations:
- CVE-2026-22719: Command Injection (CVSS 8.1) – A flaw in how the management interface processes administrative inputs. It does not properly sanitize shell metacharacters before executing system-level commands. An authenticated attacker with network access to the Aria Operations setup can inject malicious strings into specific configuration parameters, resulting in Remote Code Execution (RCE).
- CVE-2026-22720: Stored Cross-Site Scripting (CVSS 8.0) – The application allows user-supplied data to be stored and later displayed without adequate validation or encoding. An attacker can embed a malicious JavaScript payload that executes when a high-privilege administrator views the affected page. This can lead to session hijacking, allowing the attacker to steal administrative cookies and impersonate a super-user.
- CVE-2026-22721: Privilege Escalation (CVSS 6.2) – A local vulnerability stemming from improper file handling. An attacker who already has access to the appliance can exploit this flaw to elevate their privileges from a standard user to root, granting full control over the underlying operating system and bypassing internal security telemetry.
Impacted components include:
- VMware Aria Operations (all 8.x releases prior to 8.18.6)
- VMware Cloud Foundation Operations and Aria bundles (versions prior to 9.0.2.0)
- VMware Telco Cloud Platform and Telco Cloud Infrastructure variants running Aria Operations versions below the fixed releases
Why is it noteworthy?
No widespread exploitation has been publicly reported, but Aria Operations commonly runs with high-level system privileges. A successful attack could allow arbitrary code execution, installation of persistent backdoors, or lateral movement across the virtualized environment.
What is the exposure or risk?
Aria Operations serves as a core component of the management plane. Compromising it provides attackers with a pathway into the wider VMware Cloud Foundation stack. In Telco Cloud environments, these vulnerabilities could disrupt 5G core services or interfere with network slicing configurations. Attackers could also alter performance metrics to conceal other malicious activities or exfiltrate sensitive configuration metadata.
What are the recommendations?
Barracuda strongly advises organizations to take the following immediate actions:
- Apply vendor updates immediately:
- VMware Aria Operations: Upgrade to 8.18.6 or later.
- VMware Cloud Foundation: Update to 9.0.2.0 or later.
- Telco Cloud Platform/Infrastructure: Apply corresponding patches as outlined in KB428241.
- Ensure Aria Operations is isolated on a restricted management network and not exposed to the public internet.
References
For more in-depth information about the recommendations, please visit the following links:
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
- https://cybersecuritynews.com/vmware-aria-vulnerabilities-rce-attack/?shem=dsdf,sharefoc,agadiscoversdl,,sh/x/discover/m1/4
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.