The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three newly identified vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation in real-world attacks.
The vulnerabilities affect products from Cisco, Google Chrome, and Arista Networks, prompting federal agencies and organizations to prioritize remediation efforts to reduce security risks.
Three Vulnerabilities Added to CISA’s KEV Catalog
The newly listed vulnerabilities include:
CVE-2026-20245 – Cisco Catalyst SD-WAN Manager
This vulnerability stems from improper output encoding or escaping in Cisco Catalyst SD-WAN Manager. An authenticated local attacker could exploit the flaw by supplying a specially crafted file to the affected system, potentially gaining root-level command execution privileges.
Severity: CVSS 7.8
CVE-2026-11645 – Google Chrome V8 Engine
The vulnerability affects the V8 JavaScript engine used by Google Chrome. Attackers can exploit the flaw through a specially crafted HTML page, allowing arbitrary code execution within Chrome’s sandbox environment.
Severity: CVSS 8.8
CVE-2026-7473 – Arista Extensible Operating System (EOS)
This vulnerability involves incomplete comparison checks that may cause affected Arista devices to process and forward unexpected tunneled network traffic.
Severity: CVSS 6.9
Arista EOS Flaw Actively Exploited in the Wild
Among the three vulnerabilities, CVE-2026-7473 has attracted significant attention due to reports of active exploitation.
According to Arista, affected devices configured as tunnel endpoints may incorrectly decapsulate and forward unexpected tunnel traffic if the destination IP address matches a configured decapsulation address. The issue occurs because the system fails to properly validate the tunnel protocol type before processing packets.
As a result, devices may unintentionally handle network traffic that was never intended to be accepted.
Affected Arista Products
The vulnerability primarily impacts the following product families:
- Arista 7020R Series
- Arista 7280R and 7280R2 Series
- Arista 7500R and 7500R2 Series
For exploitation to occur, the device must be configured with tunnel decapsulation functionality, such as:
- VXLAN Virtual Tunnel Endpoints (VTEPs)
- GRE Tunnel Endpoints
- IP Decapsulation Groups
No Security Patch Planned
Despite confirming that the vulnerability is being exploited in real-world environments, Arista has announced that it does not plan to release a software patch.
The company stated that modifying the behavior could potentially disrupt existing customer deployments and network configurations. Instead, Arista is recommending mitigation strategies to reduce exposure.
Recommended Mitigations
Arista advises organizations to implement Access Control Lists (ACLs) to filter tunnel traffic and prevent unauthorized packet processing.
Two mitigation approaches have been suggested:
1. Apply ACLs on Upstream Devices
Organizations can configure upstream network devices to allow only legitimate tunnel traffic while blocking suspicious packets before they reach vulnerable systems.
2. Apply ACLs on Affected Devices
ACLs can also be deployed directly on affected Arista devices to selectively permit approved tunnel protocols and block potentially malicious traffic.
These measures can help minimize the risk of exploitation without requiring software updates.
Federal Agencies Face June 23 Deadline
Following the addition of these vulnerabilities to the KEV Catalog, CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply available patches or mitigation measures by June 23, 2026.
The directive is part of CISA’s ongoing effort to reduce exposure to actively exploited vulnerabilities that pose significant risks to government networks and critical infrastructure.
Final Thoughts
The inclusion of these vulnerabilities in CISA’s KEV Catalog serves as a reminder that attackers continue to exploit both newly discovered and previously disclosed security flaws. Organizations using affected Cisco, Google Chrome, or Arista products should immediately review their environments, apply available updates, and implement recommended mitigations to reduce the risk of compromise.
Proactive vulnerability management remains one of the most effective defenses against emerging cyber threats and active exploitation campaigns.
