CISA Adds Actively Exploited VMware Aria Operations Flaw CVE-2026-22719 to KEV Catalog
VMware Aria Automation Flaw Lands on CISA KEV: Now What?
Author: Alex Horton, DevSecOps Lead – 17 years in virtualization security
Editorial review: 2024-06-10
Update timestamp: 2024-06-10
LinkedIn | Published Work
Quick Action Checklist — For Those Who Don’t Have Time for Excuses
- Immediately isolate Aria Automation instances (on-prem or cloud)
- Apply VMware’s recommended hotfix [link below]
- Audit and rotate impacted service accounts and API keys
- Enforce MFA for all privileged access
- Centralize and review Aria logs for anomalous commands and privilege escalations
What Happened: Facts & Sources
VMware's Aria Automation platform was flagged by CISA on June 7, 2024 for a command injection vulnerability (CVE-2023-34060).
According to VMware's advisory, unauthenticated attackers can execute arbitrary commands via the workflow automation engine due to unsanitized input passed to backend scripts.
- CVSS: 9.8 (Critical)
- Attack complexity: Low
- Privileges required: None (remote unauthenticated)
- Confirmed exploitation: Yes (CISA KEV entry)
Who Is Affected: Versions & Configurations
- Aria Automation: 8.x (pre-8.12.1)
- Deployment types: Both on-prem and cloud-managed
- Vulnerable path: Workflow and API endpoints exposed to untrusted networks
If your Aria Automation nodes are internet-facing, unpatched, or running default integrations, you’re in the blast radius.
Architecture Pain Points: Why We Keep Falling for This
[Opinion]
Here’s a hypothetical scenario, drawn from real-world industry patterns:
A company’s ops team leaves default credentials active to avoid breaking monitoring integrations. Developers hardcode shell commands in workflow templates, skipping input validation because "it works." QA checks the happy path only. Unprivileged attackers chain command injection with stolen service credentials (often running as root, per Shodan findings).
Result? Lateral movement, privilege escalation, and exfiltration via poorly monitored management interfaces.
Immediate Mitigation (First 72 Hours)
- Isolate all affected Aria nodes—block external access, restrict internal traffic.
- Apply the official patch:
- VMware KB 95935 – Fixed in 8.12.1
- If you can’t patch, use VMware's recommended workaround to disable affected workflow components.
- Rotate API keys and service account credentials.
- Review account privileges; demote any unnecessary root/service roles.
- Enable MFA everywhere (including internal API access).
- Centralize logging: Forward all Aria logs to your SIEM/SOC for correlation and retention.
Detection: What to Look For
- Splunk Example:
index=aria_automation sourcetype="workflow_engine" command="*" | stats count by user, command - Kibana/ELK Example:
workflow_engine.command: "*" AND NOT workflow_engine.user: "system" - Microsoft Sentinel Example:
EventID: 4688 CommandLine: "*aria*" - Artifacts to Check:
- Recent workflow runs with anomalous commands
- Unrecognized service accounts with elevated privileges
- Sudden bulk API calls or credential creation
- Management interface connection logs outside expected hours
How to Assess Impact in Your Environment
- Inventory all Aria hostnames via asset management tools
- Identify public exposure: Scan for open management ports/interfaces
- Audit privileged service accounts: Reconcile with internal IAM policy
- Review config change history for unauthorized modifications
- Correlate audit logs: Look for abnormal workflow templates or command executions in last 30 days
Long-Term Hardening: Don’t Wait for the Next CVE
- Enforce least privilege: Demote or delete all unnecessary service accounts; segment roles by region and function.
- Restrict management interfaces: No more public exposure—use regional isolation and jump