Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation. The list of vulnerabilities is as follows - CVE-2026-20245 (CVSS score: 7.8) - An improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager that could allow an
Analysis Summary
# Vulnerability: CISA Adds Three Exploited Flaws (Cisco, Chrome, Arista) to KEV Catalog
## CVE Details
- **CVE ID:** CVE-2026-20245 | CVE-2026-11645 | CVE-2026-7473
- **CVSS Score:** 7.8 (High) | 8.8 (High) | 6.9 (Medium)
- **CWE:** Improper Encoding or Escaping (CVE-2026-20245); Out-of-bounds Read/Write (CVE-2026-11645); Incomplete Comparison (CVE-2026-7473).
## Affected Systems
- **Cisco:** Catalyst SD-WAN Manager.
- **Google:** Chrome (V8 Engine).
- **Arista:** Extensible Operating System (EOS) running on 7020R, 7280R/R2, and 7500R/R2 series products.
- **Configurations (Arista):** Specifically affects devices configured as tunnel endpoints with a decapsulation IP (e.g., VXLAN VTEP, GRE tunnel endpoint, or IP decap-group).
## Vulnerability Description
- **CVE-2026-20245 (Cisco):** A failure to properly encode or escape output allows an authenticated local attacker to supply a malicious file to the SD-WAN Manager, resulting in root-level arbitrary command execution.
- **CVE-2026-11645 (Chrome):** An out-of-bounds memory safety issue in the V8 JavaScript engine. A remote attacker can use a crafted HTML page to execute arbitrary code within the browser's sandbox.
- **CVE-2026-7473 (Arista):** The switch fails to verify the tunnel protocol type during decapsulation. It incorrectly processes and forwards unexpected tunneled packets if the destination IP matches the configured decapsulation IP, leading to unauthorized traffic processing.
## Exploitation
- **Status:** All three are **Exploited in the wild** (Added to CISA KEV on June 9, 2026).
- **Complexity:** Low to Medium.
- **Attack Vector:**
- Cisco: Local (Authenticated).
- Chrome: Network (Remote).
- Arista: Network (Tunneling).
## Impact
- **Confidentiality:** High (Full system access or arbitrary code execution).
- **Integrity:** High (Root command execution/unauthorized traffic forwarding).
- **Availability:** High (Potential for system takeover or service disruption).
## Remediation
### Patches
- **Cisco/Chrome:** Apply the latest security updates provided by the vendors immediately.
- **Arista:** **No patches planned.** The vendor stated that fixing the flaw could break existing customer configurations.
### Workarounds
- **Arista (CVE-2026-7473):**
1. Apply Access Control Lists (ACLs) on upstream devices to filter for legitimate tunnel traffic only.
2. Apply ACLs directly on the affected Arista devices to block malicious or unexpected tunnel traffic.
## Detection
- **Indicators of Compromise:** Monitor for unexpected decapsulated traffic originating from unauthorized IPs on Arista devices. For Cisco, audit file uploads and command logs for unauthorized root-level activity.
- **Detection methods and tools:** Use CISA’s KEV catalog updates to cross-reference asset inventories. FCEB agencies must verify mitigation by June 23, 2026.
## References
- CISA KEV Catalog: hxxps://www.cisa[.]gov/known-exploited-vulnerabilities-catalog
- Arista Security Advisory: hxxps://www.arista[.]com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137
- Cisco Advisory: hxxps://thehackernews[.]com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026.html
- Chrome Update: hxxps://thehackernews[.]com/2026/06/chrome-v8-zero-day-cve-2026-11645.html