INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
U.S. CISA Adds Qualcomm Broadcom VMware Aria Flaws
| 2026-03-04 08:56 CRITICAL HIGHExecutive Summary AI-generated
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several critical vulnerabilities to its Known Exploited Vulnerabilities catalog, including Google Chromium CSS, Microsoft Windows, TeamT5 ThreatSonar Anti-Ransomware, Zimbra flaws, and others. These additions were made on March 4, 2026, with the most recent being Broadcom VMware Aria Operations Command Injection Vulnerability CVE-2026-21385, a high-severity memory corruption issue that could lead to remote code execution in vulnerable systems. The vulnerabilities have been identified by Google as part of its advisory and are expected to be actively exploited due to their CVSS scores ranging from 7.8 to 8.1.
Technical Mitigations AI-generated
* Implement a secure patching strategy for VMware Aria Operations to address the known exploited vulnerabilities (CVE-2026-22719, CVE-2026-21385) and ensure timely implementation by March 24, 2026.
* Conduct vulnerability assessments and penetration testing on critical infrastructure to identify potential entry points for attackers exploiting the identified vulnerabilities.
* Implement robust access controls and authentication mechanisms to prevent unauthorized access to VMware Aria Operations and other affected systems.
* Regularly update and patch software components, including operating systems and applications, to ensure that known exploits are addressed before they can be used against the system.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-22721CVE-2026-22721
CVE-2026-22719CVE-2026-22719
CVE-2026-22720CVE-2026-22720
CVE-2026-21385CVE-2026-21385
Target & Sectors
Global Scope
healthhealth
Incident Timeline
2026-02-02
Threat actors used a known exploited vulnerability in VMware Aria Operations to exploit the Qualcomm and Broadcom vulnerabilities.
Click on any entity below to view its context and source!
organisation
VMware Aria Operations
"A malicious unauthenticated actor may exploit this issue to execute arbitrary commands, which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress," the company
said
in an advisory released late last month.
tactic
Remote Code Execution
"A malicious unauthenticated actor may exploit this issue to execute arbitrary commands, which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress," the company
said
in an advisory released late last month.
February 24, 2026
Threat actors used a known exploited vulnerability in Qualcomm and Broadcom to target VMware systems.
Click on any entity below to view its context and source!
vulnerability
CVSS score of 8.1
The vulnerability was originally disclosed and patched on February 24, 2026, as part of VMware's VMSA-2026-0001 advisory, which was rated Important with a CVSS score of 8.1.
organisation
CVSS
The vulnerability was originally disclosed and patched on February 24, 2026, as part of VMware's VMSA-2026-0001 advisory, which was rated Important with a CVSS score of 8.1.
organisation
VMware
The vulnerability was originally disclosed and patched on February 24, 2026, as part of VMware's VMSA-2026-0001 advisory, which was rated Important with a CVSS score of 8.1.
February 24
Threat actors exploited vulnerabilities in Qualcomm and Broadcom processors to gain unauthorized access.
Mar 04, 2026
Threat actors exploited vulnerabilities in Qualcomm and Broadcom's VMware Aria Operations software to gain unauthorized access.
VMSA-2026-0001
Threat actors exploited a known vulnerability in VMware Aria Operations, which was patched on February 24, 2026.
Click on any entity below to view its context and source!
vulnerability
CVSS score of 8.1
The vulnerability was originally disclosed and patched on February 24, 2026, as part of VMware's VMSA-2026-0001 advisory, which was rated Important with a CVSS score of 8.1.
organisation
CVSS
The vulnerability was originally disclosed and patched on February 24, 2026, as part of VMware's VMSA-2026-0001 advisory, which was rated Important with a CVSS score of 8.1.
organisation
VMware
The vulnerability was originally disclosed and patched on February 24, 2026, as part of VMware's VMSA-2026-0001 advisory, which was rated Important with a CVSS score of 8.1.
2026-03-04
Broadcom and U.S. CISA added the VMware Aria Operations Command Injection Vulnerability CVE-2026-22719 to their Known Exploited Vulnerabilities catalog, citing active exploitation in the wild.
Click on any entity below to view its context and source!
infrastructure
Windows
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
Google Chromium CSS, Microsoft Windows, TeamT5 ThreatSonar Anti-Ransomware, and Zimbra flaws to its
Known Exploited Vulnerabilities (KEV) catalog
.
organisation
CVSS
Below are the flaws added to the catalog:
CVE-2026-22719
(CVSS score of 8.1)
infrastructure
7.8
Broadcom VMware Aria Operations Command Injection Vulnerability
CVE-2026-21385
(CVSS score of 7.8) Qualcomm Multiple Chipsets Memory Corruption Vulnerability
In February, Broadcom released security updates to address multiple vulnerabilities affecting
VMware Aria Operations
, including CVE-2026-22719.
organisation
Broadcom
Broadcom VMware Aria Operations Command Injection Vulnerability
CVE-2026-21385
(CVSS score of 7.8) Qualcomm Multiple Chipsets Memory Corruption Vulnerability
In February, Broadcom released security updates to address multiple vulnerabilities affecting
VMware Aria Operations
, including CVE-2026-22719.
Broadcom also warned that it is aware of reports indicating the vulnerability is exploited but says it cannot independently confirm the claims.
organisation
VMware Aria Operations
Broadcom VMware Aria Operations Command Injection Vulnerability
CVE-2026-21385
(CVSS score of 7.8) Qualcomm Multiple Chipsets Memory Corruption Vulnerability
In February, Broadcom released security updates to address multiple vulnerabilities affecting
VMware Aria Operations
, including CVE-2026-22719.
VMware Aria Operations is an enterprise monitoring platform that helps organizations track the performance and health of servers, networks, and cloud infrastructure.
infrastructure
Android
Google has confirmed that CVE-2026-21385 (CVSS score of 7.8), a high-severity vulnerability affecting an open-source Qualcomm component used in Android devices, has been actively exploited.
The flaw is a buffer over-read in the Graphics component that could allow attackers to access sensitive memory data, underscoring ongoing risks to Android users.
organisation
Google
Google has confirmed that CVE-2026-21385 (CVSS score of 7.8), a high-severity vulnerability affecting an open-source Qualcomm component used in Android devices, has been actively exploited.
infrastructure
9.0.2
It impacts the following products -
VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x - Fixed in 9.0.2.0
VMware Aria Operations 8.x - Fixed in 8.18.6
Customers who cannot apply the patch immediately can
download and run a shell script
("aria-ops-rce-workaround.sh") as root from each Aria Operations Virtual Appliance node.
infrastructure
8.18.6
It impacts the following products -
VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x - Fixed in 9.0.2.0
VMware Aria Operations 8.x - Fixed in 8.18.6
Customers who cannot apply the patch immediately can
download and run a shell script
("aria-ops-rce-workaround.sh") as root from each Aria Operations Virtual Appliance node.
organisation
VMware Cloud Foundation
It impacts the following products -
VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x - Fixed in 9.0.2.0
VMware Aria Operations 8.x - Fixed in 8.18.6
Customers who cannot apply the patch immediately can
download and run a shell script
("aria-ops-rce-workaround.sh") as root from each Aria Operations Virtual Appliance node.
organisation
VMware vSphere Foundation
It impacts the following products -
VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x - Fixed in 9.0.2.0
VMware Aria Operations 8.x - Fixed in 8.18.6
Customers who cannot apply the patch immediately can
download and run a shell script
("aria-ops-rce-workaround.sh") as root from each Aria Operations Virtual Appliance node.
organisation
each Aria Operations Virtual Appliance
It impacts the following products -
VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x - Fixed in 9.0.2.0
VMware Aria Operations 8.x - Fixed in 8.18.6
Customers who cannot apply the patch immediately can
download and run a shell script
("aria-ops-rce-workaround.sh") as root from each Aria Operations Virtual Appliance node.
organisation
NOPASSWD
The script disables components of the migration process that could be abused during exploitation, including removing the "/usr/lib/vmware-casa/migration/vmware-casa-migration-service.sh" and the following sudoers entry that allows vmware-casa-workflow.sh to run as root without a password:
NOPASSWD: /usr/lib/vmware-casa/bin/vmware-casa-workflow.sh
Admins are advised to apply available VMware Aria Operations security patches or implement workarounds as soon as possible, especially if the flaw is being actively exploited in attacks.
organisation
BleepingComputer
BleepingComputer contacted Broadcom with questions regarding the reported activity, but has not received a response.
organisation
The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
March 24, 2026
Threat actors used a vulnerability in Qualcomm and Broadcom to target VMware Aria Operations.
Click on any entity below to view its context and source!
attribution
FCEB
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by March 24, 2026.
attribution
Federal Civilian Executive Branch
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by March 24, 2026.
attribution
Known Exploited
The flaw has now been added to the CISA's
Known Exploited Vulnerabilities (KEV) catalog
, with the US cyber agency requiring federal civilian agencies to address the issue by March 24, 2026.
tactic
T1588.006 - Vulnerabilities
The flaw has now been added to the CISA's
Known Exploited Vulnerabilities (KEV) catalog
, with the US cyber agency requiring federal civilian agencies to address the issue by March 24, 2026.
attribution
KEV
The flaw has now been added to the CISA's
Known Exploited Vulnerabilities (KEV) catalog
, with the US cyber agency requiring federal civilian agencies to address the issue by March 24, 2026.
source_region
United States
The flaw has now been added to the CISA's
Known Exploited Vulnerabilities (KEV) catalog
, with the US cyber agency requiring federal civilian agencies to address the issue by March 24, 2026.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
Google Chromium CSS, Microsoft Windows, TeamT5 ThreatSonar Anti-Ransomware, and Zimbra flaws to its
Known Exploited Vulnerabilities (KEV) catalog
.
Metrics
infrastructure
7.8
Software Version
Broadcom VMware Aria Operations Command Injection Vulnerability
CVE-2026-21385
(CVSS score of 7.8) Qualcomm Multiple Chipsets Memory Corruption Vulnerability
In February, Broadcom released security updates to address multiple vulnerabilities affecting
VMware Aria Operations
, including CVE-2026-22719.
Metrics
infrastructure
Android
Affected Product
The flaw is a buffer over-read in the Graphics component that could allow attackers to access sensitive memory data, underscoring ongoing risks to Android users.
Google has confirmed that CVE-2026-21385 (CVSS score of 7.8), a high-severity vulnerability affecting an open-source Qualcomm component used in Android devices, has been actively exploited.
Metrics
infrastructure
9.0.2
Software Version
It impacts the following products -
VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x - Fixed in 9.0.2.0
VMware Aria Operations 8.x - Fixed in 8.18.6
Customers who cannot apply the patch immediately can
download and run a shell script
("aria-ops-rce-workaround.sh") as root from each Aria Operations Virtual Appliance node.
Metrics
infrastructure
8.18.6
Software Version
It impacts the following products -
VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x - Fixed in 9.0.2.0
VMware Aria Operations 8.x - Fixed in 8.18.6
Customers who cannot apply the patch immediately can
download and run a shell script
("aria-ops-rce-workaround.sh") as root from each Aria Operations Virtual Appliance node.
Intelligence Sources
Security Affairs
2026-03-04
The Hacker News
2026-03-04
BleepingComputer
2026-03-03
CISA flags VMware Aria Operations RCE flaw as exploited in attacks
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T07:41
Comprehensive Tactical Telemetry
Highly Correlated Entities
14x
attribution
Attributing Entity
The U.S. Cybersecurity and Infrastructure Security Agency
authority
12x
organisation
Identified Entity
CVSS
entity
8x
timeline
Temporal Reference
March 24, 2026
date
4x
vulnerability
Exploited CVE
CVE-2026-22719
cve
3x
tactic
Cyber Operation Type
Ransomware
tactic
3x
infrastructure
Software Version
7.8
version
2x
infrastructure
Affected Product
Windows
software
2x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
2x
vulnerability
CVSS Score
8
score
Contextual Telemetry
Context Block
7 METRICS
general metric
Severity Vulnerability
8
severity vulnerability
general metric
Mar
4
mar
source region
Origin Country
United States
country
industry
Targeted Sector
Health
sector
general metric
Red Report
2,026
red report
general metric
Malicious Samples
1,100,000
malicious samples
general metric
Top Techniques
10
top techniques
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.