CVE-2026-22721

low-risk

Published 2026-02-25

VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations. To remediate CVE-2026-22721, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found in VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 .

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.2/10 Medium

NETWORK / HIGH complexity

Affected Products (4)

Aria Operations

Cloud Foundation

Telco Cloud Infrastructure

Telco Cloud Platform

Affected Vendors

Vmware

References (2)

Patch https://support.broadcom.com/web/ecx/support-content-notification/-/external/con...

Release Notes https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-...

/ 100

low-risk

Severity 19/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 10/34 · Low