CISA Adds Two Known Exploited Vulnerabilities to Catalog

Key Takeaways

• CISA has added two new vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog due to active exploitation.
• CVE-2026-21385 is a memory corruption vulnerability affecting Qualcomm Multiple Chipsets.
• CVE-2026-22719 is a command injection vulnerability affecting Broadcom VMware Aria Operations.
• Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities by the specified due date per BOD 22-01.
• All organizations are strongly urged to prioritize patching these vulnerabilities to reduce cyberattack exposure.

Affected Systems

• Qualcomm Multiple Chipsets
• Broadcom VMware Aria Operations

Vulnerabilities (CVEs)

• CVE-2026-21385
• CVE-2026-22719

Attack Chain

Malicious cyber actors are actively exploiting CVE-2026-21385 (memory corruption in Qualcomm chipsets) and CVE-2026-22719 (command injection in VMware Aria Operations). Specific exploitation chains, payloads, and post-exploitation activities are not detailed in the alert, but these vulnerabilities likely serve as initial access, privilege escalation, or remote code execution vectors.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the CISA alert.

Detection Engineering Assessment

EDR Visibility: Medium — EDR may detect post-exploitation activity such as command injection child processes from VMware Aria Operations, but memory corruption on Qualcomm chipsets (often mobile/embedded) typically lacks standard EDR visibility. Network Visibility: Medium — Network sensors might detect anomalous inbound requests targeting VMware Aria Operations, but encrypted payloads or mobile network traffic (Qualcomm) may be blind spots. Detection Difficulty: Moderate — Detecting the exploitation attempts requires specific application logging and baseline understanding of VMware Aria Operations process trees. Qualcomm chipset exploitation is inherently difficult to detect without specialized mobile/hardware telemetry.

Required Log Sources

• Web Application Firewall (WAF) logs
• Application logs (VMware Aria)
• Process creation logs (Event ID 4688 / Sysmon Event ID 1 / Linux auditd)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected child processes spawning from VMware Aria Operations web or application services, indicating potential command injection (CVE-2026-22719).	Process creation logs	Execution	Low

Control Gaps

• Lack of mobile/hardware-level telemetry for Qualcomm chipsets
• Insufficient application-layer inspection for VMware Aria Operations

Key Behavioral Indicators

• Anomalous child processes from VMware Aria services
• Unexpected shell execution (sh, bash, cmd) by application service accounts

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Identify all instances of Qualcomm chipsets and VMware Aria Operations in the environment.
• Apply vendor-supplied patches or updates for CVE-2026-21385 and CVE-2026-22719 immediately.

Infrastructure Hardening

• Restrict network access to VMware Aria Operations interfaces to authorized management IP ranges only.
• Implement Web Application Firewalls (WAF) in front of public-facing or critical internal web applications.

User Protection

• Ensure mobile device management (MDM) policies require the latest OS and firmware updates for devices using Qualcomm chipsets.

Security Awareness

• Communicate the urgency of BOD 22-01 compliance to relevant IT and vulnerability management stakeholders.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1059 - Command and Scripting Interpreter
• T1068 - Exploitation for Privilege Escalation