Nessus scanner Plugin 306550 identified CVE-2026-34477 within the VMware Aria Automation 8.18.1 environment. This vulnerability, also tracked under IAVA #2026-A-0324, involves an Apache Log4j TLS hostname verification bypass. Security assessments indicate that while hostname verification was addressed for certain system properties, the verifyHostName attribute remained ignored in affected versions, potentially allowing man-in-the-middle attacks.

VMware Aria Automation 8.18.1

The current version of VMware Aria Automation utilizes an affected version of the Apache Log4j component (2.12.0 < 2.25.4) which is vulnerable to SSL Hostname Verification Bypass as described in CVE-2026-34477.

Broadcom engineering has confirmed that CVE-2026-34477 will be fully resolved in the next Aria Automation 8.18.1 patch release. This patch is currently expected to be available in Q3 of 2026. To remediate the issue, customers should upgrade to the 8.18.1 patch release once it becomes available.

Refer to VMware Aria Automation Orchestrator 8.18.1 release notes.

https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-automation/8-18/vmware-aria-automation-release-notes.html