Print - 【Vulnerability Alert】Broadcom VMware contains high-risk security vulnerabilities (CVE-2026-22719 and CVE-2026-22720). Please verify and apply the necessary patches as soon as possible.

【Vulnerability Alert】Broadcom VMware contains high-risk security vulnerabilities (CVE-2026-22719 and CVE-2026-22720). Please verify and apply the necessary patches as soon as possible.

publish date : 2026-03-13 update date : 2026-03-13

Source: Ministry of education information & communication security contingency platform

"" "" ""


Publication Number	TACERT-ANA-2026031110034141	Publication Time	2026/03/11 10:08
Incident Type	ANA-Vulnerability Alert	Discovery Time	2026/03/11 10:08
Impact Level	Medium
[Subject] 【Vulnerability Alert】Broadcom VMware contains high-risk security vulnerabilities (CVE-2026-22719 and CVE-2026-22720). Please verify and apply the necessary patches as soon as possible.
[Content] Forwarded from the National Institute of Cyber Security NISAC-200-202603-00000006 Security researchers have identified two high-risk security vulnerabilities in Broadcom VMware (CVE-2026-22719 and CVE-2026-22720). The vulnerability types are Command Injection and Stored Cross-Site Scripting. The former occurs during the Aria Operations support-assisted product migration process, allowing an unauthenticated remote attacker to exploit the vulnerability to execute arbitrary commands on affected devices. This vulnerability has already been exploited by attackers. The latter allows a remote attacker with permission to create custom benchmarks to inject malicious scripts, which may then execute system operations with administrator privileges. Please verify your systems and apply the necessary patches as soon as possible. (Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform] VMware Aria Operations versions prior to 8.18.6 (from 8.0.5 up to, but not including, 8.18.6) VMware Cloud Foundation versions prior to 5.2.3 (from 4.0 up to, but not including, 5.2.3) VMware Cloud Foundation versions prior to 9.0.2.0 (from 9.0 up to, but not including, 9.0.2.0) VMware Telco Cloud Platform versions up to and including 5.1 (from 4.0 to 5.1 inclusive) VMware Telco Cloud Infrastructure versions up to and including 3.0 (from 2.2 to 3.0 inclusive)
[Recommended Actions] The vendor has released a remediation update for the vulnerability. Please refer to the official advisory and perform the update accordingly. The URL is as follows: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
[Reference] 1. https://nvd.nist.gov/vuln/detail/CVE-2026-22719 2. https://nvd.nist.gov/vuln/detail/CVE-2026-22720 3. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw

Organizer: Computer Center