Washington—March 4, 2026, 11:04 EST
- The U.S. Cybersecurity and Infrastructure Security Agency has placed Broadcom’s VMware Aria Operations vulnerability, tracked as CVE-2026-22719, on its catalog of exploited bugs, and gave federal agencies until March 24 to patch it.
- Broadcom has heard about potential exploitation, though it hasn’t been able to verify the reports; patches and a workaround are up for grabs.
- Broadcom is doubling down on VMware software, with an earnings release set for after the bell. The alert comes as the company shifts focus.
The U.S. Cybersecurity and Infrastructure Security Agency flagged a flaw in Broadcom’s VMware Aria Operations software, putting it on its Known Exploited Vulnerabilities list and giving federal civilian agencies until March 24 to patch the issue, according to a U.S. government vulnerability database entry.
This isn’t just hypothetical—the KEV list is CISA’s active catalog of vulnerabilities it says attackers are exploiting right now. For IT teams, the roster doesn’t just raise the stakes, it usually means they’ll have to patch much faster—often on a tighter schedule than just the public sector.
VMware Aria Operations helps enterprises keep tabs on their infrastructure, while Broadcom keeps steering VMware software further into private-cloud stacks. If attackers get through a flaw in these operational tools, they can end up inside systems powering everything from core business apps to telecom networks.
Broadcom flagged CVE-2026-22719 as a command-injection vulnerability—essentially, attackers might feed their own commands to the system and trigger remote code execution. That opens the door for malicious code to run from afar, if exploited. In a recent update, Broadcom said, “Broadcom is aware of reports of potential exploitation of CVE-2026-22719 in the wild, but we cannot independently confirm their validity.” Support Portal
Broadcom rolled out patches as well as a temporary workaround, pointing users to Aria Operations 8.18.6 and 9.0.2 for the fixed releases, plus updates for VMware Cloud Foundation. But the company cautioned that the workaround is just a stop-gap—it won’t fix the two additional vulnerabilities revealed with CVE-2026-22719.
The vulnerability stems from a “support-assisted” migration workflow—a particular state triggered in some customer environments during vendor-supported migrations. That detail might limit how many systems are actually exposed. Still, with CISA flagging it as exploited, defenders are likely to start treating the risk with more urgency.
Customers now face yet another round of patching, this time across intricate stacks—think virtualization, monitoring, and cloud management software from players like Microsoft and IBM’s Red Hat—plus whatever security and hardware layers are already in place.
Broadcom’s quarterly numbers drop after Wednesday’s close, and options traders are braced for a swing—roughly 8% up or down—depending on how results shake out. Visible Alpha’s projections land at $19.21 billion in fiscal Q1 revenue with adjusted EPS pegged at $2.02, according to Investopedia.
Broadcom is pushing its VMware-based private cloud to telecom operators looking to set up “sovereign” infrastructure—systems meant to keep critical data and operations within national borders. “Hardware costs are spiraling out of control and the global demand for memory resulting from AI will further accelerate rising server prices,” said Paul Turner, chief product officer for Broadcom’s VMware Cloud Foundation group, in a statement quoted by Channel Dive. Channel Dive
Broadcom’s $69 billion acquisition of cloud software player VMware in 2023 brought infrastructure software deeper into the mix, complementing its core chip business.
The risk on the table is clear enough: should attackers exploit the flaw on a wider scale, big companies and service providers that can’t just schedule downtime could find themselves rushing to patch. Broadcom, for its part, says it can’t verify the exploit reports, which doesn’t help. Defenders are now being pushed to act quickly, without much in the way of public specifics on the attack methods.
