Date Posted: 2026/03/11

[Vulnerability Alert] High-Risk Security Vulnerabilities Found in Broadcom VMware (CVE-2026-22719 and CVE-2026-22720), Please Confirm and Patch Immediately

Subject Explanation: [Vulnerability Alert] High-Risk Security Vulnerabilities Found in Broadcom VMware (CVE-2026-22719 and CVE-2026-22720), Please Confirm and Patch Immediately

Content Description:
- Forwarding National Information Security Analysis and Sharing Center (NISAC) Alert NISAC-200-202603-00000006
- Researchers have discovered 2 high-risk security vulnerabilities (CVE-2026-22719 and CVE-2026-22720) in Broadcom VMware. The vulnerability types are Command Injection and Stored Cross-Site Scripting, respectively. The former exists in the support-assisted product migration process of Aria Operations, allowing an unauthenticated remote attacker to exploit this vulnerability to execute arbitrary commands on the affected devices; this vulnerability has already been exploited by hackers. The latter allows a remote attacker with privileges to create custom benchmarks to inject malicious scripts, and subsequently execute system operations with administrator privileges. Please confirm and patch immediately.
Impacted Platforms:
- VMware Aria Operations versions from 8.05 prior to 8.18.6 (exclusive)
- VMware Cloud Foundation versions from 4.0 prior to 5.2.3 (exclusive)
- VMware Cloud Foundation versions from 9.0 prior to 9.0.2.0 (exclusive)
- VMware Telco Cloud Platform versions 4.0 to 5.1 (inclusive)
- VMware Telco Cloud Infrastructure versions 2.2 to 3.0 (inclusive)
Suggested Measures:
- The official vendor has released a repair update for the vulnerabilities; please refer to the official instructions to update. The URL is as follows: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
References:

Computer and Communication Center
Network Systems Division