A new security advisory has raised serious concerns for enterprises running VMware environments. On 24 Feb 2026, Broadcom released advisory VMSA-2026-0001, disclosing 3 vulnerabilities in VMware Aria Operations that could expose systems to remote code execution (RCE) and other high-risk attacks. Organizations using impacted versions are urged to apply patches immediately.
The vulnerabilities affect VMware Aria Operations, which is integrated into products such as VMware Cloud Foundation, VMware Telco Cloud Platform and VMware Telco Cloud Infrastructure.
The disclosed flaws include:
- CVE-2026-22719 – Command injection (CVSS 8.1)
- CVE-2026-22720 – Stored cross-site scripting (CVSS 8.0)
- CVE-2026-22721 – Privilege escalation (CVSS 6.2)
The most critical issue, CVE-2026-22719, allows unauthenticated attackers to execute arbitrary commands during support-assisted product migrations. This could result in full remote code execution.
- CVE-2026-22720 enables privileged users to create custom benchmarks that inject malicious scripts capable of triggering administrative actions.
- CVE-2026-22721 allows vCenter users with access to escalate privileges to admin level within Aria Operations.
All vulnerabilities are rated Important severity. A workaround is available only for CVE-2026-22719 via KB430349. No workaround exists for the other 2 issues, increasing the urgency for patching.
Impacted deployments include:
- VMware Aria Operations 8.x
- Cloud Foundation 9.x / 5.x / 4.x
- Telco Cloud Platform 5.x / 4.x
- Telco Cloud Infrastructure 3.x / 2.x
Fixes are confirmed in updated releases such as Aria Operations 8.18.6 and Cloud Foundation 9.0.2.0.
Security researchers Tobias Anders (Deutsche Telekom Security), Sven Nobis and Lorin Lehawany (ERNW) reported the vulnerabilities.
Administrators are advised to review deployment versions against the advisory matrix and apply updates without delay. Exploitation during migration processes could disrupt cloud environments and compromise enterprise operations.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
