On June 9, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, confirming that they are being actively exploited. Among them are a critical flaw in Arista network equipment for which the vendor has explicitly refused to release a fix, a vulnerability in Cisco Catalyst SD-WAN Manager enabling command execution as root, and a bug in the V8 engine of the Google Chrome browser that allows remote code execution. U.S. federal agencies are required to remediate these threats by June 23, 2026.
Technical details of the vulnerabilities
CVE-2026-20245 — Cisco Catalyst SD-WAN Manager
The CVE-2026-20245 vulnerability (CVSS 7.8) is related to improper handling of output encoding or escaping in Cisco Catalyst SD-WAN Manager. According to available information, an authenticated local attacker can execute arbitrary commands with root privileges by supplying a specially crafted file to the vulnerable system. Despite requiring local access and authentication, escalation to root makes this vulnerability a serious threat for organizations using Cisco SD-WAN infrastructure.
CVE-2026-11645 — Google Chrome V8
The CVE-2026-11645 vulnerability (CVSS 8.8) is an out-of-bounds read and write bug in the V8 JavaScript engine of the Google Chrome browser. As reported, a remote attacker can achieve arbitrary code execution inside the browser sandbox via a specially crafted HTML page. This is the highest CVSS score among the three newly added vulnerabilities, and the web page attack vector makes it potentially widespread.
CVE-2026-7473 — Arista EOS
The CVE-2026-7473 vulnerability (CVSS 6.9) affects the Arista Extensible Operating System (EOS) and deserves particular attention because of the vendor’s decision not to release a patch. The issue is classified as an incomplete comparison with missing validation factors: on affected platforms configured for tunnel decapsulation (VXLAN, GRE or decapsulation groups), the switch incorrectly processes and forwards unexpected tunneled packets if their destination IP address matches the configured decapsulation IP.
The root cause is that the switch does not verify the tunnel protocol type, which leads to processing of illegitimate tunneled traffic. The affected hardware series are:
- Arista 7020R
- Arista 7280R/R2
- Arista 7500R/R2
For successful exploitation, the device must be configured as a tunnel endpoint with a decapsulation IP address — for example, as a VXLAN VTEP, a GRE tunnel endpoint, or with an IP decap-group configured.
Arista’s refusal to release a patch: situation analysis
The most unusual aspect of this incident is Arista’s official position: the company has confirmed that CVE-2026-7473 is being exploited in real-world attacks, yet has stated that no patch will be released. The reason given is the risk of disrupting existing configurations in deployed environments. Discovery of the vulnerability is attributed to Comcast researchers Scott Christiansen, Lucas Peitz, Rich Compton and Jonathan Davis.
This puts operators of Arista network equipment in a difficult position: the vulnerability is being actively exploited, has been added to the KEV catalog, but the only way to protect against it is to manually apply workarounds. For U.S. federal agencies obligated to comply with directive BOD 22-01, this means having to implement mitigations within tight deadlines without the option of simply installing an update.
Impact assessment
The three vulnerabilities affect fundamentally different segments of infrastructure. CVE-2026-20245 threatens centralized SD-WAN management — compromising the manager can give an attacker control over the entire software-defined network. CVE-2026-11645 in Chrome V8 impacts virtually any organization using a Chromium-based browser, although code execution is confined to the sandbox. CVE-2026-7473 in Arista EOS poses a threat to data centers and large-scale network infrastructures where VXLAN fabrics and GRE tunnels are standard architectural components.
The absence of a patch for Arista EOS creates a long-term risk: ACL rules require ongoing maintenance and can be misconfigured, especially in complex environments with dynamic routing.
Practical recommendations
For Arista EOS (CVE-2026-7473):
- Verify whether the device is configured as a tunnel endpoint (VXLAN VTEP, GRE endpoint, IP decap-group)
- Apply access control lists (ACLs) on upstream devices to filter illegitimate tunneled traffic
- Alternatively, configure ACLs directly on the affected switches to block unexpected decapsulation
- The goal of both strategies is to allow only legitimate tunneled traffic or selectively block malicious traffic
For Cisco SD-WAN Manager (CVE-2026-20245):
- Install the Cisco update when it becomes available
- Restrict local access to SD-WAN management systems and minimize the number of privileged accounts
- Monitor file uploads to the management platform
For Google Chrome (CVE-2026-11645):
- Update Chrome and all Chromium-based browsers to the latest available version
- Ensure automatic update mechanisms are enabled in the corporate environment
Organizations subject to CISA requirements must complete the application of fixes or mitigations for all three vulnerabilities by June 23, 2026. Given the lack of a patch for Arista EOS, the top priority should be an immediate review of tunnel endpoint configurations on the affected hardware series and deployment of ACL filtering — this is currently the only available protective measure against CVE-2026-7473.
