Broadcom patches command injection and XSS in VMware Aria Operations
TL;DR — Broadcom patched a command injection, stored XSS, and privilege escalation in VMware Aria Operations affecting direct deployments and VCF/Telco Cloud bundles.
What happened
VMware Aria Operations (formerly vRealize Operations) is Broadcom's infrastructure monitoring and capacity management platform for virtualized and cloud environments. Broadcom published VMSA-2026-0001 covering three vulnerabilities in VMware Aria Operations: command injection (CVE-2026-22719, CVSS 8.1), stored XSS (CVE-2026-22720, CVSS 8.0), and privilege escalation (CVE-2026-22721, CVSS 6.2).
The command injection is particularly notable — it's exploitable by an unauthenticated attacker during support-assisted product migration, a time when security controls are often relaxed and operational attention is focused elsewhere.
Who is impacted
- Deployments of VMware Aria Operations, VMware Cloud Foundation, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure (where Aria Operations is bundled).
- Fixed versions include
Aria Operations 8.18.6andCloud Foundation Operations 9.0.2.0.
What to do now
- Identify where VMware Aria Operations is deployed directly or via VCF/Telco bundles.
- Apply the vendor-provided fixed versions from the advisory's Response Matrix.
- If planning a support-assisted migration, review workaround guidance for CVE-2026-22719 (KB430349) until fully patched.
- Limit permissions for custom benchmarks and restrict vCenter-to-Aria access paths.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.