CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities affecting Cisco, Google Chrome, and Arista Networks to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added three new vulnerabilities to its catalog of Known Exploited Vulnerabilities (KEV), signaling that these flaws are actively being targeted by malicious actors. The inclusion in the KEV catalog mandates that federal civilian executive branch agencies must apply available patches or mitigations by June 23, 2026, to defend against potential attacks.
The vulnerabilities added are CVE-2026-20245, affecting Cisco Catalyst SD-WAN Manager; a critical flaw in Google Chrome's V8 engine; and CVE-2026-7473, impacting Arista Networks' Extensible Operating System (EOS).
The Cisco vulnerability, CVE-2026-20245, carries a CVSS score of 7.8 and is described as an improper encoding or escaping of output issue. This flaw could permit an authenticated, local attacker to execute arbitrary commands with root privileges by submitting a specially crafted file to the affected system. This highlights the risk of privilege escalation even for authenticated users on compromised networks.
Google Chrome's V8 engine is affected by CVE-2026-11645, a severe out-of-bounds read and write vulnerability with a CVSS score of 8.8. Remote attackers can exploit this flaw by presenting a malicious HTML page, potentially leading to arbitrary code execution within the browser's sandbox. This is a significant concern given Chrome's widespread use and the potential for drive-by attacks.
Arista Networks' EOS is subject to CVE-2026-7473, a vulnerability rated at 6.9 CVSS. This flaw involves an incomplete comparison with missing factors, which could allow an attacker to process non-configured tunnel traffic. While not as severe in its direct impact as the others, it could be used in more complex network-based attacks. Arista noted that this vulnerability has been reported as being exploited in the wild, with Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis credited for its responsible disclosure.
Notably, Arista Networks has stated that no patches are planned for CVE-2026-7473, citing the risk of disrupting existing configurations. Instead, the company has provided mitigation strategies, including applying Access Control Lists (ACLs) on upstream devices or on the affected devices themselves to selectively allow legitimate tunnel traffic or block malicious traffic. This approach underscores the challenges in patching network infrastructure where stability is paramount.
The inclusion of these three vulnerabilities in the KEV catalog underscores the ongoing threat landscape, with attackers actively seeking and exploiting weaknesses across various technology stacks, from network devices to web browsers. Organizations are strongly advised to review their configurations and apply necessary patches or mitigations promptly.