CVE-2026-22719: Unauthenticated Command Injection in VMware Aria Operations

CVE-2026-22719 is a Command Injection vulnerability (CWE-77) affecting the 'support-assisted product migration' feature in VMware Aria Operations. This feature is designed to facilitate the transfer of data and configuration settings during product upgrades or support interventions. The vulnerability manifests in the way the application processes external input received over the network during this specific operational state.

The flaw permits an unauthenticated attacker to inject arbitrary operating system commands into the affected component. Because the Aria Operations appliance typically runs with elevated privileges (often root or a highly privileged service account) to manage virtualization infrastructure, successful exploitation results in complete system compromise. The vulnerability affects multiple versions of the 8.x and 9.x branches, as well as associated Cloud Foundation and Telco Cloud products.

The core defect lies in the improper neutralization of special elements used in a command (CWE-77). When the support-assisted migration service is active, it exposes specific API endpoints or listeners to coordinate the migration process. These endpoints accept parameters—likely intended for file paths, IP addresses, or configuration tokens—that are subsequently used to construct a command-line string for execution by the underlying operating system shell.

The application fails to rigorously sanitize this input before passing it to functions such as system(), exec(), or equivalent shell-execution primitives. An attacker can append shell metacharacters (e.g., ;, |, &, $()) to the legitimate input. When the application processes this tainted string, the shell interprets the metacharacters as command separators or sub-shell directives, executing the attacker's payload alongside the intended migration command.

> [!NOTE] > The 'High' Attack Complexity (AC:H) rating in the CVSS score (8.1) is critical context. The vulnerable code path is not universally accessible; it requires the target system to be in a specific state: 'support-assisted product migration' must be in progress. This creates a temporal restriction on exploitation, limiting the attack window to times when administrators are actively maintaining or upgrading the system.

To exploit this vulnerability, an attacker must first identify a VMware Aria Operations instance that has the migration service active. In a typical attack scenario, the adversary would scan for the specific ports or HTTP endpoints associated with the migration tool. Once the service is detected, the attacker constructs a malicious network request containing the command injection payload.

Given the lack of authentication requirements (PR:N), the attacker does not need valid credentials. The payload is delivered via the network (AV:N). Successful injection allows the attacker to spawn a reverse shell, download remote malware, or directly exfiltrate credentials stored on the appliance. The following diagram illustrates the attack flow:

The vulnerability is particularly dangerous because it bypasses standard access controls. While the requirement for the migration state to be active acts as a mitigating factor, threat actors often automate the scanning process to detect this state the moment it is engaged.

The impact of CVE-2026-22719 is classified as Critical regarding the confidentiality, integrity, and availability of the affected system.

• Confidentiality: Attackers can access sensitive configuration data, including vCenter credentials, database connection strings, and infrastructure maps. This data can be used to pivot laterally into the managed virtualization environment.
• Integrity: Attackers can modify system configurations, inject persistent backdoors, or alter monitoring data to hide their presence.
• Availability: Attackers can delete critical files, stop services, or encrypt the appliance (ransomware), disrupting the organization's ability to monitor and manage their virtual infrastructure.

Since VMware Aria Operations often serves as a centralized management hub, its compromise can serve as a beachhead for wider attacks against the Software-Defined Data Center (SDDC).

Broadcom has released official patches to address this vulnerability. Organizations using VMware Aria Operations should upgrade immediately to the fixed versions:

• v8.x Branch: Upgrade to version 8.18.6.
• v9.x Branch: Upgrade to version 9.0.2.
• Cloud Foundation: Upgrade to 5.2.3 or 9.0.2.0 depending on the branch.

Workaround (KB430349) If immediate patching is not feasible, a workaround script is available. This script likely disables the vulnerable migration vector or enforces stricter input validation at the configuration level.

1. Download aria-ops-rce-workaround.sh from Broadcom KB430349.
2. Transfer to the appliance: scp aria-ops-rce-workaround.sh root@<node-ip>:/root/
3. Execute: chmod +x aria-ops-rce-workaround.sh && ./aria-ops-rce-workaround.sh

Security teams should also implement network detection rules (Snort/Suricata) to flag traffic destined for migration endpoints containing common shell metacharacters.