【資安漏洞預警】Broadcom VMware存在高風險安全漏洞(CVE-2026-22719與CVE-2026-22720),請儘速確認並進行修補
[Security Vulnerability Alert] Broadcom VMware contains high-risk security vulnerabilities (CVE-2026-22719 and CVE-2026-22720). Please confirm and patch them as soon as possible.

發布單位:圖資處數位服務組
日期範圍:2026/3/13 ~ 2026/9/13
 
發布單位:圖資處數位服務組
日期範圍:2026/3/13 ~ 2026/9/13
行政 行政公告
全體

轉發 國家資安資訊分享與分析中心 資安訊息警訊 NISAC-200-202603-00000006

[內容說明]
研究人員發現Broadcom VMware存在2項高風險安全漏洞(CVE-2026-22719與CVE-2026-22720),類型分別為指令注入(Command Injection)與儲存型跨網站腳本攻擊(Stored Cross-Site Scripting),前者於Aria Operations支援協助產品遷移(support-assisted product migration)流程中,可使未經身分鑑別之遠端攻擊者利用此漏洞於受影響設備執行任意指令,此漏洞已遭駭客利用;後者可使具建立自訂評估標準(custom benchmark)權限之遠端攻擊者注入惡意腳本,進而以管理者權限執行系統操作。請儘速確認並進行修補。

[影響平台]
VMware Aria Operations 8.05至8.18.6(不含)以前版本
VMware Cloud Foundation 4.0至5.2.3(不含)以前版本
VMware Cloud Foundation 9.0至9.0.2.0(不含)以前版本
VMware Telco Cloud Platform 4.0至5.1(含)以前版本
VMware Telco Cloud Infrastructure 2.2至3.0(含)以前版本

[建議措施]
官方已針對漏洞釋出修復更新,請參考官方說明進行更新,網址如下: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

[參考資料]
1. https://nvd.nist.gov/vuln/detail/CVE-2026-22719
2. https://nvd.nist.gov/vuln/detail/CVE-2026-22720
3. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

Forwarded from the National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202603-00000006

[Content Description]
Researchers have discovered two high-risk security vulnerabilities (CVE-2026-22719 and CVE-2026-22720) in Broadcom VMware. The types are command injection and stored cross-site scripting, respectively. The former, occurring during the Aria Operations support-assisted product migration process, allows unauthenticated remote attackers to execute arbitrary commands on affected devices. This vulnerability has already been exploited by hackers. The latter allows remote attackers with custom benchmarking privileges to inject malicious scripts and then perform system operations with administrator privileges. Please confirm and patch these vulnerabilities as soon as possible.

[Affected Platforms]
VMware Aria Operations versions 8.05 to 8.18.6 (excluding 8.18.6) and earlier
VMware Cloud Foundation versions 4.0 to 5.2.3 (excluding 5.2.3) and earlier
VMware Cloud Foundation versions 9.0 to 9.0.2.0 (excluding 9.0.2.0) and earlier
VMware Telco Cloud Platform versions 4.0 to 5.1 (inclusive) and earlier
VMware Telco Cloud Infrastructure versions 2.2 to 3.0 (inclusive) and earlier

[Recommended Actions]
An official patch has been released to fix the vulnerability. Please refer to the official instructions to update. The URL is as follows: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2026-22719
2. https://nvd.nist.gov/vuln/detail/CVE-2026-22720
3. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947


相關附件
【返回上頁】
Top↑