CVE-2026-22719

CVE-2026-22719: VMware Aria Operations Command Injection

Initial Access Execution Persistence Lateral Movement Last updated:

Detects exploitation of CVE-2026-22719, a command injection vulnerability (CWE-77) in Broadcom VMware Aria Operations. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through unsanitized input, potentially leading to full host compromise, lateral movement, and persistence within virtualized environments.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Broadcom
Product
VMware Aria Operations

Weakness (CWE)

CWE-77

Timeline

Disclosed
March 3, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-22719 CVE-2026-22719: VMware Aria Operations Command Injection?

CVE-2026-22719: VMware Aria Operations Command Injection (CVE-2026-22719) maps to the Initial Access and Execution and Persistence and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-22719: VMware Aria Operations Command Injection, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, Windows Security Event Log. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Lateral Movement
Microsoft Sentinel / Defender
kusto 
let AriaOpsProcesses = dynamic(['vmware-vcops', 'vcops', 'aria-ops', 'vrops']);
let SuspiciousChildProcs = dynamic(['sh', 'bash', 'python', 'python3', 'perl', 'curl', 'wget', 'nc', 'ncat', 'netcat', 'id', 'whoami', 'uname']);
let TimeWindow = 1h;
union DeviceProcessEvents, SecurityEvent
| where TimeGenerated > ago(TimeWindow)
| where (ParentProcessName has_any (AriaOpsProcesses) or ProcessCommandLine has_any ('aria', 'vrops', 'vcops'))
    and FileName has_any (SuspiciousChildProcs)
| extend CommandLength = strlen(ProcessCommandLine)
| where CommandLength > 20
| project TimeGenerated, DeviceName, AccountName, ParentProcessName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, RemoteIP, ActionType
| order by TimeGenerated desc

Detects suspicious child process execution spawned by VMware Aria Operations processes, indicative of command injection exploitation of CVE-2026-22719.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents Windows Security Event Log

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

  • Legitimate administrative shell scripts executed by Aria Operations for maintenance tasks
  • Authorized automation pipelines that invoke shell commands as part of configured monitoring workflows
  • Scheduled health-check tasks launched by the Aria Operations service account under normal operations

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-22719: VMware Aria Operations Command Injection (CVE-2026-22719) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-22719 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-22719

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated Aria Operations Command Injection via curl

    Expected signal: Linux audit log EXECVE record for 'id' with ppid matching an Aria Operations web service process; file creation event in /tmp/ by the service account.

  2. Test 2Post-Exploitation Reverse Shell Staging from Aria Operations Context

    Expected signal: Audit log EXECVE for bash and curl with parent 'sudo'; network connection from host to attacker-lab.internal on port 80; file creation event for /tmp/.aria_agent.

  3. Test 3Recon Execution Simulating Aria Operations Command Injection Output

    Expected signal: Linux audit EXECVE records for id, whoami, uname, cat, ss all with uid matching the vmware service account; all spawned as children of bash.

  4. Test 4Persistence via Cron Injection Simulating Post-Exploitation

    Expected signal: Audit log records for bash and crontab execution under vmware service account; file write to vmware user crontab spool (/var/spool/cron/crontabs/vmware).

Unlock Pro Content

Get the full detection package for CVE-2026-22719 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1078.003Local AccountsT1210Exploitation of Remote Services

Same Tactic: Initial Access

Popular Detections