CVE-2026-22721

Summary

VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations. To remediate CVE-2026-22721, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found in  VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 .

Affected Software

VendorProductVersion RangeStatus
VMwareVMware Aria Operations8.18.0 < 8.18.6affected
VMwareVMware Aria Operations8.18.6unaffected
VMwareVMware Cloud Foundation4.0 < 5.2.3affected
VMwareVMware Cloud Foundation9.0 < 9.0.2affected
VMwareVMware Cloud Foundation5.2.3unaffected
VMwareVMware Cloud Foundation9.0.2unaffected
VMwareVMware Telco Cloud Platform4.0 < 5.2.3affected
VMwareVMware Telco Cloud Platform5.2.3unaffected
VMwareVMware Telco Cloud Infrastructure2.0 < 5.2.3affected
VMwareVMware Telco Cloud Infrastructure5.2.3unaffected

Weaknesses

  • CWE-269: CWE-269 Improper Privilege Management

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References