IDPS signature update for CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721
search cancel

IDPS signature update for CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721

book

Article ID: 437118

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Recently, VMware by Broadcom published VMware Security Advisory VMSA-2026-0001 detailing information on vulnerabilities affecting VMware products, which could potentially be exploited by malicious actors. This KB announces 3 Intrusion Detection and Prevention System (IDPS) signatures and provides guidance on how to use them to detect and mitigate potential exploitation attempts of the vulnerabilities CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721.

Environment

VMware Aria Operations from 8.0 up to (excluding) 8.18.6.
VMware Cloud Foundation from 4.0 up to (excluding) 5.2.3.
VMware Cloud Foundation from 9.0 up to (excluding) 9.0.2.0.
VMware Telco Cloud Infrastructure from 2.2 up to (including) 3.0.
VMware Telco Cloud Platform from 4.0 up to (including) 5.1.

Response matrix is available in the security advisory for VMSA-2026-0001:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

Cause

VMware Aria Operations contains a command injection vulnerability. Broadcom has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.

VMware Aria Operations contains a stored cross-site scripting vulnerability. Broadcom has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations.

VMware Aria Operations contains a privilege escalation vulnerability. Broadcom has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.2. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations.

Resolution

The following VMware vDefend IDPS signatures have been developed to detect and mitigate exploitation attempts of the vulnerabilities:

  • CVE-2026-22719: signatures IDs 1150806 and 1150807
  • CVE-2026-22720: signature ID 1150485
  • CVE-2026-22721: signature ID 1150808

For information on how to set up Distributed IDS/IPS and Gateway IDS/IPS for VMware vDefend and enable automatic IDPS signature updates, see
https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/vdefend/vdefend-atp/9-0/nsx-ids-ips-and-nsx-malware-prevention.html
or
https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/vdefend/vdefend-atp/4-2/nsx-ids-ips-and-nsx-malware-prevention.html.

Released IDPS signatures can be viewed in the vDefend Threat Intelligence Service portal:
https://portal.securityti.vmware.com/#/app/ids-signatures.

Powered by Wolken Software