CyberLeveling Logo
VMware Aria Operations security update (VMSA-2026-0001)

VMware Aria Operations Security Update (VMSA-2026-0001)

Feb 24, 2026

On February 24, 2026, Broadcom published VMSA-2026-0001, covering three vulnerabilities in VMware Aria Operations (and products that bundle it, like VMware Cloud Foundation and Telco Cloud). Two are rated Important (CVSS up to 8.1), and one is Moderate.

This post explains what Aria Operations is used for, what each CVE means in practical terms, and how to prioritize patching and mitigations.

What is VMware Aria Operations used for?

VMware Aria Operations (formerly vRealize Operations) is VMware/Broadcom’s platform for operations management in VMware environments. In practice, teams use it to:

  • Monitor the health and performance of infrastructure (often fed by vCenter metrics)
  • Do capacity and cost management and forecasting
  • Get alerts, troubleshooting workflows, and “what-if” planning
  • Support compliance / configuration visibility across the environment

If you run a sizeable vSphere/VCF environment, Aria Ops often becomes a “single pane” teams lean on for day-to-day operational visibility. That’s why vulnerabilities here matter: it’s commonly connected to vCenter and has privileged visibility.

What the Advisory Covers (at a glance)

The advisory addresses three CVEs:

  • CVE-2026-22719: command injection that can lead to unauthenticated remote code execution, but only in a specific scenario.
  • CVE-2026-22720: stored XSS that can let someone inject scripts to perform administrative actions (requires a certain permission).
  • CVE-2026-22721: privilege escalation from certain vCenter-linked access into Aria Operations admin.

Affected product families listed include:

  • VMware Aria Operations
  • VMware Cloud Foundation
  • VMware Telco Cloud Platform
  • VMware Telco Cloud Infrastructure

The Three CVEs, Explained Like an Operator

1) CVE-2026-22719 (CVSS 8.1): Command Injection → Potential Unauthenticated RCE

What it is: A command injection vulnerability in Aria Operations.

Who can exploit it: A malicious unauthenticated actor may exploit it.

The catch: Exploitation is tied to a specific condition: “while support-assisted product migration is in progress.”

Why that’s still serious

Even if the window is “only during migration,” migrations are exactly when:

  • Extra services might be enabled
  • Access rules get loosened temporarily
  • Teams are busy and changes are frequent

If you’re migrating now (or about to), this is the CVE to treat as “drop what you’re doing.”

2) CVE-2026-22720 (CVSS 8.0): Stored XSS via Custom Benchmarks

What it is: Stored cross-site scripting in Aria Operations.

Who can exploit it: Someone with privileges to create custom benchmarks.

What it enables: Injecting script that can perform administrative actions in Aria Ops (typically by riding an admin’s session or forcing actions in the UI).

Why XSS can be more than “annoying”

In admin consoles, stored XSS often becomes:

  • Session theft
  • Silent configuration changes
  • Creating new admin users
  • Altering alerting/integrations

So even though it needs an authenticated role, it can be a very real escalation path if permissions are broad or an account is compromised.

3) CVE-2026-22721 (CVSS 6.2): Privilege Escalation to Aria Ops Admin

What it is: A privilege escalation vulnerability in Aria Operations.

Who can exploit it: Someone with vCenter privileges that allow access to Aria Operations.

What it enables: Obtaining administrative access within Aria Operations.

Why this matters

This is the “bridge” scenario: compromise (or misuse) in vCenter-linked access can become Aria Ops admin. If Aria Ops then has integrations, credentials, or visibility into the environment, that’s valuable lateral movement.

Patching: What Versions Fix It?

Broadcom’s own guidance boils down to: patch to the fixed versions listed in the response matrix, and/or to the current Aria Ops release that explicitly includes the fixes.

Key fixed targets called out:

  • VMware Aria Operations 8.x → upgrade to 8.18.6
  • VMware Cloud Foundation Operations 9.x → upgrade to 9.0.2.0

The 8.18.6 release notes explicitly say this release resolves CVE-2026-22719/22720/22721, which is a nice “single line” to point change boards at.

Workarounds: Helpful, but Limited

Broadcom documents a workaround for CVE-2026-22719 in KB430349.

But the advisory also makes clear there are no workarounds for the XSS (22720) or privilege escalation (22721).

So: treat the workaround as a short-term seatbelt, not the fix.

Recommended Actions (Prioritized)

If you are in (or about to start) a support-assisted migration

  • Patch first (upgrade to the fixed versions).
  • If patching cannot happen immediately, apply KB430349 as a stopgap for CVE-2026-22719.
  • Tighten exposure during the migration window:
    • Ensure Aria Ops is not reachable from untrusted networks
    • Restrict to admin VPN/jump hosts
    • Reduce the migration window and keep it contained

If you’re not migrating, but you run Aria Ops in prod

  • Patch anyway (8.18.6 / 9.0.2.0, etc.).
  • Review Aria Ops RBAC: Who can create custom benchmarks? Reduce it to trusted admins only (mitigates practical risk from CVE-2026-22720).
  • Review vCenter-to-Aria access paths: confirm only required roles can access Aria Ops integration points (reduces exposure to CVE-2026-22721).