Listen to this Post
Introduction
Cybersecurity defenders are once again facing an urgent challenge after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog with three newly identified security flaws that are already being abused by attackers in real-world environments. The inclusion of these vulnerabilities signals a heightened level of risk for government agencies, enterprises, and critical infrastructure operators that depend on Cisco, Google Chrome, and Arista networking technologies.
The latest KEV additions demonstrate how threat actors continue to exploit weaknesses across multiple technology layers, ranging from network infrastructure and browser engines to software-defined wide area networking platforms. Organizations that fail to act quickly may expose themselves to unauthorized access, remote code execution, network manipulation, and potentially severe operational disruptions.
CISA Adds Three New Exploited Vulnerabilities to KEV Catalog
CISA officially added three vulnerabilities to its Known Exploited Vulnerabilities catalog after receiving evidence that threat actors are actively exploiting them in the wild. The vulnerabilities affect products from Cisco, Google, and Arista, three major technology providers whose products are widely deployed across enterprise environments.
The newly listed vulnerabilities include:
CVE-2026-20245 affecting Cisco Catalyst SD-WAN Manager
CVE-2026-11645 affecting Google Chrome V8
CVE-2026-7473 affecting Arista Extensible Operating System (EOS)
The move highlights the seriousness of these flaws and places pressure on organizations to implement available fixes or mitigation measures immediately.
Cisco Catalyst SD-WAN Manager Vulnerability Enables Root Command Execution
One of the most concerning vulnerabilities added to the KEV catalog is CVE-2026-20245, which impacts Cisco Catalyst SD-WAN Manager.
The flaw stems from improper encoding and output escaping mechanisms within the platform. An authenticated local attacker can exploit the weakness by supplying a specially crafted file to the affected system. Successful exploitation could allow arbitrary command execution with root-level privileges.
Root access represents the highest level of control within Linux-based systems. If attackers obtain such privileges, they can modify configurations, disable security controls, install malware, create hidden backdoors, and potentially pivot deeper into enterprise networks.
Given the critical role SD-WAN technologies play in modern enterprise connectivity, exploitation of this flaw could have significant consequences for organizations managing distributed infrastructure.
Google Chrome V8 Flaw Creates Remote Code Execution Risk
The second vulnerability, CVE-2026-11645, affects
The flaw is classified as an out-of-bounds read and write vulnerability. Attackers can exploit the weakness by convincing users to visit a specially crafted HTML page. Once triggered, the vulnerability may allow arbitrary code execution within Chrome’s sandbox environment.
Browser vulnerabilities remain among the most dangerous attack vectors because web browsers serve as the primary gateway to the internet for millions of users worldwide. A single malicious webpage can become the delivery mechanism for malware, credential theft operations, espionage campaigns, or further exploitation attempts.
The inclusion of this vulnerability in
Arista EOS Vulnerability Raises Network Security Concerns
The third vulnerability, CVE-2026-7473, affects
According to Arista, the issue occurs when affected devices are configured with tunnel decapsulation features such as VXLAN, GRE tunnels, or decap-groups. Under these conditions, switches may improperly decapsulate and forward unexpected tunneled traffic.
The vulnerability exists because the switch fails to properly verify tunnel protocol types before processing traffic. As a result, packets that should normally be rejected may instead be accepted and forwarded through the network.
This unexpected behavior could allow malicious actors to manipulate traffic flows or introduce unauthorized tunneled traffic into affected environments.
Specific Hardware Platforms at Risk
Arista confirmed that several product families are particularly affected by the vulnerability, including:
7020R Series
7280R Series
7280R2 Series
7500R Series
7500R2 Series
However, successful exploitation depends on specific deployment conditions. The affected devices must be configured as tunnel endpoints using VXLAN VTEPs, GRE tunnel endpoints, or IP decapsulation groups.
Organizations using these configurations should carefully assess their exposure and implement mitigation strategies as quickly as possible.
Arista Confirms Active Exploitation but Declines to Release a Patch
In an unusual development, Arista acknowledged that CVE-2026-7473 has already been exploited in real-world attacks. The vulnerability was responsibly disclosed by Comcast security researchers Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis.
Despite confirming active exploitation, Arista announced that it does not plan to release a software patch.
The company explained that modifying the underlying behavior could disrupt existing customer deployments and potentially break production environments relying on current configurations. While this decision may preserve operational stability, it also places greater responsibility on administrators to deploy alternative protections.
The situation highlights a difficult reality in cybersecurity: sometimes fixing a vulnerability can introduce operational risks that are nearly as severe as the vulnerability itself.
Recommended Mitigation Strategies
Since no official patch is planned, Arista has provided mitigation guidance centered around Access Control Lists (ACLs).
The first approach involves deploying ACLs on upstream networking devices to ensure that only legitimate tunnel traffic reaches affected switches.
The second approach involves applying ACLs directly on vulnerable devices to filter out unauthorized or malicious tunnel traffic before processing occurs.
Both strategies focus on reducing exposure by controlling which packets are allowed to traverse the network and preventing attackers from abusing tunnel decapsulation mechanisms.
Organizations should evaluate both approaches based on their network architecture and security requirements.
Federal Agencies Face Tight Remediation Deadline
Recognizing the immediate threat posed by these vulnerabilities, CISA has directed Federal Civilian Executive Branch agencies to apply patches or mitigation measures no later than June 23, 2026.
The deadline reflects the urgency associated with vulnerabilities that are already being exploited by threat actors. Government agencies often serve as attractive targets due to the sensitive information they manage and the critical services they provide.
Private sector organizations should view the deadline as a strong indicator of the risks involved and consider accelerating their own remediation efforts.
The Growing Trend of Infrastructure-Level Exploitation
The latest KEV additions reveal a broader trend emerging across the cybersecurity landscape. Attackers are increasingly targeting infrastructure technologies that sit deep within enterprise environments rather than focusing solely on endpoint systems.
Network operating systems, browser engines, and SD-WAN management platforms represent high-value targets because they provide broad visibility and control over enterprise operations.
Compromising these technologies can enable attackers to bypass traditional security boundaries, establish persistence, and move laterally throughout networks with greater efficiency.
As organizations continue adopting hybrid cloud architectures, software-defined networking, and large-scale internet-connected infrastructures, vulnerabilities in foundational technologies are becoming increasingly attractive to sophisticated threat groups.
What Undercode Say:
The most interesting aspect of this story is not the addition of three vulnerabilities to the KEV catalog.
The real story is that all three vulnerabilities affect entirely different layers of modern infrastructure.
Cisco represents network management.
Chrome represents user interaction.
Arista represents network transport.
Together, they create a complete attack chain possibility.
An attacker could compromise a browser.
Move through enterprise infrastructure.
Then interact with vulnerable network management systems.
This demonstrates why cybersecurity is no longer about protecting a single device.
Organizations must defend entire ecosystems.
The Arista case is particularly noteworthy.
Vendors rarely acknowledge active exploitation while simultaneously refusing to release a patch.
That decision reflects how complex modern networking environments have become.
Changing protocol handling logic can create unexpected outages.
In many enterprise environments, availability remains as important as security.
The Chrome vulnerability remains especially dangerous.
Browser-based attacks require minimal user interaction.
A single visit to a malicious page may be enough.
Historically, browser exploits have been favored by espionage groups.
They also serve as entry points for ransomware operators.
Cisco’s vulnerability introduces another concern.
Root-level execution inside SD-WAN infrastructure can expose large portions of distributed networks.
Modern organizations often connect hundreds of branch offices through SD-WAN technologies.
A compromise could impact far more than one location.
The inclusion in the KEV catalog confirms practical exploitation.
These are not theoretical laboratory vulnerabilities.
Someone is already using them.
The timing also suggests active threat intelligence collection by government agencies.
When CISA moves quickly, defenders should pay attention.
Another important lesson is visibility.
Many organizations know which browsers employees use.
Far fewer know which network tunnels are active.
Even fewer fully understand every SD-WAN configuration.
Attackers often exploit these blind spots.
The Arista vulnerability further demonstrates how configuration complexity can become a security risk.
Security teams should prioritize asset inventory validation.
Network segmentation remains critical.
Monitoring tunneled traffic should become a standard defensive practice.
Threat hunting teams should also review logs for unusual decapsulation behavior.
The long-term lesson is clear.
Infrastructure security is becoming the primary battlefield.
Attackers are moving deeper into enterprise architecture.
Defenders must follow them there.
Deep Analysis: Linux and Network Security Commands for Detection and Investigation
Security teams investigating potential exposure to these vulnerabilities can use several commands and techniques to improve visibility:
Checking Network Interfaces
ip addr show
Monitoring Active Connections
ss -tulpn
Reviewing Routing Tables
ip route
Detecting Suspicious Tunnel Interfaces
ip tunnel show
Capturing Potentially Malicious Tunnel Traffic
tcpdump -i any
Reviewing Firewall Rules
iptables -L -n -v
Inspecting Network Activity
netstat -antp
Searching System Logs
journalctl -xe
Monitoring Real-Time Events
tail -f /var/log/syslog
Identifying Unusual Processes
ps aux --sort=-%cpu
These commands provide defenders with practical visibility into network behavior, tunnel configurations, and suspicious activity that could indicate exploitation attempts.
✅ CISA added CVE-2026-20245, CVE-2026-11645, and CVE-2026-7473 to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation.
✅ Arista confirmed that CVE-2026-7473 has been observed in real-world attacks and publicly documented mitigation strategies instead of planning a software patch.
✅ Federal Civilian Executive Branch agencies were instructed to apply fixes or mitigations before June 23, 2026, reflecting the urgency of the threat posed by these vulnerabilities.
Prediction
(+1) Organizations will accelerate auditing of tunnel configurations, SD-WAN deployments, and browser security policies following CISA’s warning.
(+1) Network visibility and tunnel traffic inspection technologies will receive increased investment from enterprises concerned about infrastructure-level attacks.
(-1) Unpatched Arista deployments that fail to implement ACL-based mitigations may continue to attract threat actor attention throughout the coming months.
(-1) Browser-based exploitation campaigns leveraging newly discovered V8 vulnerabilities are likely to remain a favored entry point for cybercriminal and espionage operations.
(+1) Security vendors will increasingly focus on infrastructure-focused threat detection capabilities as attackers target deeper layers of enterprise architecture.
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
