Two other flaws were patched by the virtualization vendor, impacting Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure as well.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Broadcom has released patches for three vulnerabilities in VMware Aria Operations, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure. The most critical flaw (CVE-2026-22719) is an unauthenticated command injection vulnerability enabling remote code execution, though rated 'high' rather than 'critical' because exploitation requires an active support-assisted migration. A stored XSS flaw (CVE-2026-22720, CVSS 8.0) allows privilege escalation to admin via persistent scripting, and a moderate flaw (CVE-2026-22721, CVSS 6.2) enables privilege escalation through vCenter access. No in-the-wild exploitation has been observed, but similar past vulnerabilities attracted hundreds of thousands of attack attempts. Customers are advised to upgrade to Aria Operations 8.18.6 and VMware Cloud Foundation 5.2.3 or 9.0.2.

VMware fixes command injection flaw in Aria Operations