VMware Cloud Foundation

Privilege Escalation in VMware Aria Ops via vCenter Access
CVE-2026-22721 6.2 - Medium - February 25, 2026

VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations. To remediate CVE-2026-22721, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found in  VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 .

Improper Privilege Management

VMware Aria Ops XS: Privileged XSS for Admin Actions
CVE-2026-22720 8 - High - February 25, 2026

VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations.  To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of  VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .

XSS

VMware Aria Ops cmd injection leads to RCE during migration
CVE-2026-22719 8.1 - High - February 25, 2026

VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.  To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001  Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001

Command Injection

VMware vCenter SMTP Header Injection in Scheduled Task Emails
CVE-2025-41250 8.5 - High - September 29, 2025

VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks.

Command Injection

VMware Aria Ops Cred Disclosure via Info Leak
CVE-2025-41245 4.9 - Medium - September 29, 2025

VMware Aria Operations contains an information disclosure vulnerability. A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations.

Insecure Default Initialization of Resource

VMware Aria Ops/Tools LPE via SDMP (VMware vSphere)
CVE-2025-41244 7.8 - High - September 29, 2025

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

Privilege Defined With Unsafe Actions

VMware NSX Stored XSS in Gateway Firewall
CVE-2025-22244 - June 04, 2025

VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the gateway firewall due to improper input validation.

VMware NSX Router Port Stored XSS via Improper Input Validation
CVE-2025-22245 - June 04, 2025

VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the router port due to improper input validation.

VMware NSX Manager UI XSS: Improper Input Validation
CVE-2025-22243 - June 04, 2025

VMware NSX Manager UI is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper input validation.

VMware Cloud Foundation Unauth Exec & Info Leak Vulnerability
CVE-2025-41231 - May 20, 2025

VMware Cloud Foundation contains a missing authorisation vulnerability. A malicious actor with access to VMware Cloud Foundation appliance may be able to perform certain unauthorised actions and access limited sensitive information.

VMware Cloud Foundation CVE-2025-41230 Info Disclosure via Port 443
CVE-2025-41230 - May 20, 2025

VMware Cloud Foundation contains an information disclosure vulnerability. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to gain access to sensitive information.

VMware Aria Automation DOM XSS for Access Token Theft
CVE-2025-22249 - May 13, 2025

VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.

VMware ESXi TOCTOU OOB Write Allows VM Admin Code Exec as VMX
CVE-2025-22224 9.3 - Critical - March 04, 2025

VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

TOCTTOU

VMware ESXi Arbitrary Write Escape via VMX Kernel Write
CVE-2025-22225 8.2 - High - March 04, 2025

VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

Write-what-where Condition

VMware ESXi/Workstation/Fusion: OOB Read in HGFS Enables VM Memory Disclosure
CVE-2025-22226 7.1 - High - March 04, 2025

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

Out-of-bounds Read

VMware Aria Ops for Logs XSS Allows Privilege Escalation
CVE-2025-22219 9 - Critical - January 30, 2025

VMware Aria Operations for Logs contains a stored cross-site scripting vulnerability. A malicious actor with non-administrative privileges may be able to inject a malicious script that (can perform stored cross-site scripting) may lead to arbitrary operations as admin user.

VMware Aria Ops for Logs Privilege Escalation via API
CVE-2025-22220 5.4 - Medium - January 30, 2025

VMware Aria Operations for Logs contains a privilege escalation vulnerability. A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an admin user.

VMware Aria Ops for Logs Stored XSS via Agent Config Delete
CVE-2025-22221 4.8 - Medium - January 30, 2025

VMware Aria Operation for Logs contains a stored cross-site scripting vulnerability. A malicious actor with admin privileges to VMware Aria Operations for Logs may be able to inject a malicious script that could be executed in a victim's browser when performing a delete action in the Agent Configuration.

VMware Aria Ops Info Disclosure via Outbound Plugin Credential Leak
CVE-2025-22222 6.5 - Medium - January 30, 2025

VMware Aria Operations contains an information disclosure vulnerability. A malicious user with non-administrative privileges may exploit this vulnerability to retrieve credentials for an outbound plugin if a valid service credential ID is known.

VMware Aria Ops Logs Info Disclosure in View-Only Admin
CVE-2025-22218 7.7 - High - January 30, 2025

VMware Aria Operations for Logs contains an information disclosure vulnerability. A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs

VMware Aria Operations Local Privilege Escalation to Root on Appliance
CVE-2024-38830 7.8 - High - November 26, 2024

VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with local administrative privileges may trigger this vulnerability to escalate privileges to root user on the appliance running VMware Aria Operations.

VMware Aria Ops LPE via Properties File
CVE-2024-38831 7.8 - High - November 26, 2024

VMware Aria Operations contains a local privilege escalation vulnerability.  A malicious actor with local administrative privileges can insert malicious commands into the properties file to escalate privileges to  a root user on the appliance running VMware Aria Operations.

Stored XSS in VMware Aria Ops via View Editing
CVE-2024-38832 6.4 - Medium - November 26, 2024

VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with editing access to views may be able to inject malicious script leading to stored cross-site scripting in the product VMware Aria Operations.

CVE-2024-38833: Stored XSS via Email Templates in VMware Aria Ops
CVE-2024-38833 5.4 - Medium - November 26, 2024

VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with editing access to email templates might inject malicious script leading to stored cross-site scripting in the product VMware Aria Operations.

VMware Aria Ops: Stored XSS via Editing Access
CVE-2024-38834 4.8 - Medium - November 26, 2024

VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with editing access to cloud provider might be able to inject malicious script leading to stored cross-site scripting in the product VMware Aria Operations.

Aria Automation SQLi via Improper Input Validation (Authenticated)
CVE-2024-22280 8.1 - High - July 11, 2024

VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. An authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database.

SQL Injection

DOS in vCenter Server via network access
CVE-2024-37087 - June 25, 2024

The vCenter Server contains a denial-of-service vulnerability. A malicious actor with network access to vCenter Server may create a denial-of-service condition.

VMware ESXi Auth Bypass via Recreating AD Group
CVE-2024-37085 6.8 - Medium - June 25, 2024

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Authentication Bypass by Primary Weakness

VMware ESXi OOB Read Enables Local Admin DoS
CVE-2024-37086 - June 25, 2024

VMware ESXi contains an out-of-bounds read vulnerability. A malicious actor with local administrative privileges on a virtual machine with an existing snapshot may trigger an out-of-bounds read leading to a denial-of-service condition of the host.

vCenter Server DCERPC Heap Overflow RCE via Network
CVE-2024-37080 9.8 - Critical - June 18, 2024

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

Heap-based Buffer Overflow

vCenter Server Appliance LPE via Sudo Misconfig
CVE-2024-37081 - June 18, 2024

The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance.

VMware vCenter Server RCE via Authenticated Shell Escape
CVE-2024-22274 - May 21, 2024

The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.

OUT-OF-BDS READ/WRITE in VMware ESXi/WS/Fusion Storage Controllers
CVE-2024-22273 7.8 - High - May 21, 2024

The storage controllers on VMware ESXi, Workstation, and Fusion have out-of-bounds read/write vulnerability. A malicious actor with access to a virtual machine with storage controllers enabled may exploit this issue to create a denial of service condition or execute code on the hypervisor from a virtual machine in conjunction with other issues.

Out-of-bounds Read

VMware vCenter Server Partial File Read via Admin Shell
CVE-2024-22275 - May 21, 2024

The vCenter Server contains a partial file read vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to partially read arbitrary files containing sensitive data.

VMware ESXi/WS Fusion UHCI USB Use-After-Free, VM Escape
CVE-2024-22253 6.7 - Medium - March 05, 2024

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

VMware ESXi OOB Write Enables VMX Sandbox Escape
CVE-2024-22254 8.2 - High - March 05, 2024

VMware ESXi contains an out-of-bounds write vulnerability. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.

VMware ESXi/Workstation/Fusion: UHCI USB Info Disclosure
CVE-2024-22255 - March 05, 2024

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.  

VMware Aria Ops LPE: Admin Can Escalate to root
CVE-2024-22235 6.7 - Medium - February 21, 2024

VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.

Aria Automation Missing Access Control Exploit Enables Unauthorized Access
CVE-2023-34063 8.3 - High - January 16, 2024

Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.

AuthZ

VMware vCenter Server OOB Write in DCERPC Enables RCE
CVE-2023-34048 9.8 - Critical - October 25, 2023

vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.

Memory Corruption

VMware Aria Operations: LPE via admin escalation to root
CVE-2023-34043 6.7 - Medium - September 27, 2023

VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.

Improper Privilege Management

VMware Workspace ONE Access: Insecure Redirect Vulnerability (CVE-2023-20884)
CVE-2023-20884 6.1 - Medium - May 30, 2023

VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. An unauthenticated malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure.

Open Redirect

VMware Aria Ops: Deserialization Exec with Admin Privs - CVE-2023-20878
CVE-2023-20878 7.2 - High - May 12, 2023

VMware Aria Operations contains a deserialization vulnerability. A malicious actor with administrative privileges can execute arbitrary commands and disrupt the system.

Marshaling, Unmarshaling

VMware Aria Ops LPE: Admin-user Escalates to Root OS
CVE-2023-20879 6.7 - Medium - May 12, 2023

VMware Aria Operations contains a Local privilege escalation vulnerability. A malicious actor with administrative privileges in the Aria Operations application can gain root access to the underlying operating system.

VMware Aria Ops: Privileges Escal to root via Local Admin
CVE-2023-20880 6.7 - Medium - May 12, 2023

VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.

VMware Aria Ops PrivEsc via ReadOnly Code Exec
CVE-2023-20877 8.8 - High - May 12, 2023

VMware Aria Operations contains a privilege escalation vulnerability. An authenticated malicious user with ReadOnly privileges can perform code execution leading to privilege escalation.

VMware Aria Ops Logs: cmd injection grants root execution
CVE-2023-20865 7.2 - High - April 20, 2023

VMware Aria Operations for Logs contains a command injection vulnerability. A malicious actor with administrative privileges in VMware Aria Operations for Logs can execute arbitrary commands as root.

Command Injection

Deserialization RCE in VMware Aria Op Logs (CVE202320864)
CVE-2023-20864 9.8 - Critical - April 20, 2023

VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root.

Marshaling, Unmarshaling

VMware Workspace ONE Access/IDM Authenticated RCE Vulnerability
CVE-2022-31700 7.2 - High - December 14, 2022

VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

Workspace ONE Access/IDM: Broken Authentication (CVE-2022-31701)
CVE-2022-31701 5.3 - Medium - December 14, 2022

VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Missing Authentication for Critical Function