Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

VMware fixes command injection flaw in Aria Operations

VMware has released patches for several high- and medium-risk vulnerabilities that impact its Aria Operations, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure products.

The most serious of these flaws allows unauthenticated attackers to execute arbitrary commands on the underlying OS, while another gives authenticated users the ability to elevate to administrator privileges.

The issues — CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721 — were privately reported to Broadcom and there is no evidence of in-the-wild exploitation so far. However, critical Aria Operations vulnerabilities have been exploited in the past and enterprise virtualization infrastructure has been targeted by state-sponsored threat actors.

Broadcom advises customers to upgrade to Aria Operations 8.18.6, as well as versions 5.2.3 or 9.0.2 VMware Cloud Foundation (VCF). VMware Telco Cloud Platform and Telco Cloud Infrastructure are also impacted because they include Aria Operations, the IT management component for private and multicloud environments.

Command injection and privilege escalation

Even though CVE-2026-22719 is an unauthenticated command injection flaw that can lead to remote code execution, the vulnerability is rated high rather than critical severity because it can only be exploited when support-assisted product migration is in progress, making widespread exploitation less likely.

By comparison in 2023 following the disclosure of a command injection flaw in Aria Operations for Networks, security companies detected almost 700,000 attack attempts.

The second vulnerability, CVE-2026-22720, is described as a stored cross-site scripting (XSS) issue that is also rated high severity, with a score of 8.0 on the CVSS scale. This flaw allows attackers with privileges to create custom benchmarks on a deployment to inject persistent scripting that would perform administrative actions.

The third flaw is a moderate severity issue with a rating of 6.2 that can be exploited if attackers obtain privileges in vCenter that allow them to access Aria Operations. vCenter is the management platform for vSphere virtual environments, and this vulnerability is considered a privilege escalation issue because it could lead to administrative privileges in Aria.

View the full article

User Feedback

Recommended Comments

There are no comments to display.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.