Alerts

CISA Adds VMware Aria Operations RCE Flaw to KEV Catalog After Reports of Active Exploitation

Zero Day Wire

04 Mar 2026 — 2 min read

CISA has added CVE-2026-22719 to its Known Exploited Vulnerabilities catalog after reports of active exploitation targeting VMware Aria Operations, the widely deployed enterprise monitoring platform used to track server, network, and cloud infrastructure performance.

The vulnerability, a CVSS 8.1 command injection flaw, allows an unauthenticated attacker to execute arbitrary commands on vulnerable systems — potentially achieving full remote code execution. Federal civilian agencies have been ordered to remediate by March 24, 2026.

Broadcom acknowledged awareness of exploitation reports but stopped short of independent confirmation, stating it "cannot independently confirm their validity." No technical details about the exploitation activity have been publicly disclosed.

The Vulnerability

CVE-2026-22719 is a command injection vulnerability in VMware Aria Operations that can be exploited without authentication during the support-assisted product migration process.

The attack surface stems from the migration service infrastructure — specifically a migration service script and a sudoers entry that allows a workflow script to execute as root without a password:

NOPASSWD: /usr/lib/vmware-casa/bin/vmware-casa-workflow.sh

An attacker who can reach the migration service endpoint can inject arbitrary commands that execute with root privileges through this passwordless sudo chain — a critical exposure on any Aria Operations appliance where migration components remain enabled.

Timeline

February 24, 2026 — Broadcom discloses and patches the vulnerability in advisory VMSA-2026-0001
March 3, 2026 — CISA adds CVE-2026-22719 to KEV catalog citing exploitation reports
March 24, 2026 — Federal remediation deadline

Workaround Available

For organizations unable to patch immediately, Broadcom provides a shell script workaround (aria-ops-rce-workaround.sh) that must be executed as root on each Aria Operations appliance node. The script:

Removes the migration service script at /usr/lib/vmware-casa/migration/vmware-casa-migration-service.sh
Removes the passwordless sudoers entry for vmware-casa-workflow.sh

This effectively disables the migration components that create the exploitable attack surface.

Defender Recommendations

Patch immediately — apply the February 24 security update across all Aria Operations appliances
Deploy the workaround if patching is delayed — run aria-ops-rce-workaround.sh as root on every node to disable the vulnerable migration components
Audit sudoers configurations — check for any NOPASSWD entries related to VMware CASA workflow scripts that could provide unauthenticated root execution paths
Restrict network access to migration endpoints — ensure Aria Operations migration services are not exposed to untrusted networks
Hunt for post-exploitation indicators — review command execution logs on Aria Operations appliances for unexpected activity, particularly commands executed through the migration service path
Inventory all VMware Aria Operations deployments — ensure no instances have been missed, including development or staging environments

Google Attributes Axios npm Supply Chain Attack to North Korean UNC1069, Links Backdoor to WAVESHAPER Evolution

Google has formally attributed the Axios npm supply chain attack to UNC1069, a North Korean threat cluster tracked by Mandiant and Google's Threat Intelligence Group since 2018. The attribution, confirmed by GTIG chief analyst John Hultquist, links the compromise of the JavaScript ecosystem's most popular HTTP

CISA Orders Emergency Patch for Actively Exploited Citrix NetScaler Flaw Resembling CitrixBleed (CVE-2026-3055)

CISA has issued an emergency patching directive for a critical Citrix NetScaler vulnerability that is already being exploited in the wild to hijack administrator sessions on exposed appliances. The agency added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog on Monday and ordered all Federal Civilian Executive Branch agencies to secure

Axios Supply Chain Attack Delivers Cross-Platform RAT to Millions After npm Maintainer Account Hijacked

A coordinated supply chain attack targeting the Axios npm package has delivered a cross-platform remote access trojan to developer workstations and CI/CD environments worldwide, after an attacker hijacked the lead maintainer's npm credentials and published two backdoored releases to the official registry. The attack, executed in the

RedLine Infostealer Administrator Extradited to US, Faces Up to 20 Years for Running MaaS Infrastructure

Armenian national Hambardzum Minasyan has been extradited to the United States for his alleged role in maintaining RedLine's command-and-control infrastructure, managing affiliate payments, and distributing the infostealer — one of the most prolific credential-stealing operations since 2020.