VMware Aria Operations flaw added to list of exploited vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity VMware Aria Operations bug on its Known Exploited Vulnerabilities (KEV) catalog.

Broadcom, owner of VMware, originally disclosed and patched the Aria Operations flaw on Feb. 24. The vendor said it was aware that it was exploited in the wild, but reportedly could not yet confirm the most recent news.

Security pros were concerned about this flaw because Aria Operation functions as the management platform with the highest privileges for VMware environments.

 “When you compromise a tool like Aria Ops, you don't just get a map of the kingdom, you get the keys to all the castles,” said Denis Calderone, Principal/CTO at Suzu Labs. “That's the inherited trust problem we've been warning about for years. Your security and operations tooling have implicit trust throughout the environment, so this makes these tools the most sought after by attackers."

Related reading:

Calderone explained that CVE-2026-22719 is an unauthenticated RCE, meaning attackers don't need credentials. If an Aria Operations management interface is reachable, that's all the attackers need.

“Management interfaces for infrastructure tools should never be internet-accessible, period,” said Calderone. “It might seem obvious that management interfaces need to be protected, but it seems like every week or two we’re hearing about a new exploitation campaign using exposed infrastructure as their targets. But still, even if you have properly secured your management interfaces, this is a nasty bug that should be addressed as soon as possible.”

Collin Hogue-Spears, senior director of solution management at Black Duck, added that a breach through Aria Operations compromises the entire virtual infrastructure at once, not one workload. Credentials, network topology, monitoring: the attacker inherits it all, said Hogue-Spears.

“An attacker who takes Aria does not steal one server,” said Hogue-Spears. “They inherit the credentials and network topology for every system Aria manages. They see what your SOC sees. They control what your SOC trusts. The first thing a capable attacker does after compromising a monitoring platform: make that platform report that nothing happened. Your team watches clean dashboards while the attacker harvests vCenter service accounts, maps every ESXi host, and stages ransomware deployment across your entire virtual estate.”

Hogue-Spears pointed out that he’s not speculating: Scattered Spider, Qilin, and Lazarus Group all have documented campaigns targeting VMware management infrastructure precisely because of this outsized access.