Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Privilege Escalation in VMware Aria Operations

IdentifiersCVE-2026-22721CWE-269· Improper Privilege Management

CVE-2026-22721 is a privilege escalation vulnerability in VMware Aria Operations. Broadcom states that a malicious actor with privileges in vCenter sufficient to access Aria Operations can leverage the flaw to obtain administrative access within VMware Aria Operations. Supporting reporting from ERNW indicates the issue is tied to Aria Operations authentication and authorization behavior, specifically an authentication source modification path in which vCenter users mapped into Aria with lower privileges can abuse available permissions to modify authentication sources and create or control an administrator-capable access path. The issue affects both the 8.18.x and 9.x product lines and was addressed by Broadcom in VMSA-2026-0001.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in privilege escalation from an existing vCenter-accessible or lower-privileged Aria Operations context to full administrative access in VMware Aria Operations. Administrative control of Aria Operations can in turn expose management functions, integrations, and stored credentials for connected VMware infrastructure, increasing the risk of broader compromise of managed environments.

Mitigation

If you can’t patch tonight, do this now.

There is no vendor workaround listed for CVE-2026-22721. If immediate patching is not possible, reduce exposure by disabling the Aria Operations feature that allows vCenter users to log in, restricting vCenter privileges and access paths that permit access to Aria Operations, and closely monitoring authentication source changes and administrative actions until upgrades can be completed.

Remediation

Patch, then assume compromise.

Apply the vendor fixes referenced in Broadcom advisory VMSA-2026-0001. The provided content states fixed releases include VMware Aria Operations 8.18.6 and 9.0.2, and VMware Cloud Foundation / VMware vSphere Foundation 9.0.2.0 where bundled Aria Operations components are affected. For other impacted bundled product lines, apply the specific fixed versions or KB-directed updates listed in the advisory response matrix.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
BroadcomAria Operationsapplication
BroadcomCloud Foundationapplication
BroadcomTelco Cloud Infrastructureapplication
BroadcomTelco Cloud Platformapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
insinuatorNews
Mar 18, 2026
Vulnerabilities in Broadcom VMware Aria Operations: Privilege Escalation (CVE-2025-41245 / CVE-2026-22721) - Insinuator.net

A privilege escalation vulnerability in Broadcom VMware Aria Operations that allows modification of authentication sources, enabling a vCenter user mapped to Aria PowerUser to create or control administrative access within Aria.

Read more
the hacker newsNews
Mar 4, 2026
CISA Adds Actively Exploited VMware Aria Operations Flaw CVE-2026-22719 to KEV Catalog

A privilege escalation vulnerability that could result in administrative access, addressed alongside CVE-2026-22719.

Read more
dark readingNews
Mar 4, 2026
VMware Aria Operations Bug Exploited, Cloud Resources at Risk

A privilege escalation vulnerability in VMware Aria Operations disclosed alongside CVE-2026-22719.

Read more
broadcom kbNews
Mar 3, 2026
Workaround instructions to address CVE-2026-22719 in Aria Operations 8.18.x and 9.0.x

A vulnerability referenced alongside CVE-2026-22719 in VMSA-2026-0001; not mitigated by the provided workaround and requires upgrading to fixed releases.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-22721
NVD
nvd.nist.gov/vuln/detail/CVE-2026-22721
MITRE CWE · CWE-269
Improper Privilege Management
Patch
support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
Release Notes
techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html