Skip to main content
root@rebel:~$ cd /news/threats/cisa-kev-update-active-exploitation-of-arista-cisco-and-chrome_
[TIMESTAMP: 2026-06-11 09:43 UTC] [AUTHOR: Runtime Rebel Intel] [SEVERITY: HIGH]

CISA KEV Update: Active Exploitation of Arista, Cisco, and Chrome

AI-Assisted Analysis
READ_TIME: 4 min read
// executive briefing tl;dr
  • [01] Malicious actors are actively exploiting vulnerabilities in Arista EOS, Cisco SD-WAN, and Chromium to compromise network infrastructure and user endpoints.
  • [02] Vulnerable systems include Arista Extensible Operating System, Cisco Catalyst SD-WAN Manager, and applications utilizing the Google Chromium V8 engine.
  • [03] Organizations must immediately update affected software to the latest versions to mitigate the risk of confirmed active exploitation.

Overview of the June 2026 KEV Additions

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding three new entries that are currently being leveraged by threat actors in the wild. According to CISA, these vulnerabilities affect critical enterprise infrastructure and widely used browser technology, posing a significant risk to the federal enterprise and private sector organizations alike.

The inclusion of these CVE entries—affecting Arista Networks, Cisco Systems, and Google Chromium—highlights a continued trend of attackers targeting edge networking equipment and memory-unsafe components in browser engines. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these flaws by a specific deadline, though all organizations are encouraged to prioritize these patches.

Technical Analysis of Exploited Vulnerabilities

The three vulnerabilities added to the catalog represent different TTP sets, ranging from logic flaws in authentication to memory corruption.

Arista EOS Authentication Bypass (CVE-2026-7473)

CVE-2026-7473 involves an incomplete comparison with missing factors within the Arista Extensible Operating System (EOS). This type of vulnerability typically occurs when an authentication module fails to verify all required credentials or tokens, potentially allowing an attacker to bypass security controls. In an enterprise environment, this could lead to unauthorized administrative access to core switching and routing hardware.

Security administrators looking for information on how to detect CVE-2026-7473 exploit should scrutinize authentication logs for successful login events that lack the expected multi-factor metadata or originate from anomalous IP addresses. Successful exploitation of this flaw can serve as a beachhead for Lateral Movement within the data center.

Cisco Catalyst SD-WAN Manager (CVE-2026-20245)

CVE-2026-20245 affects the Cisco Catalyst SD-WAN Manager. The flaw is rooted in improper encoding or escaping of output, a common weakness that often leads to XSS or secondary injection attacks. Within a centralized management platform like SD-WAN Manager, such a vulnerability is highly dangerous as it could allow an attacker to hijack a SOC analyst’s session or execute malicious scripts in the context of an administrative user.

Comprehensive Cisco Catalyst SD-WAN Manager patch guidance suggests that organizations must not only update the software but also audit the configuration of the management web interface, ensuring it is not exposed to the public internet without Zero Trust access controls.

Chromium V8 Memory Corruption (CVE-2026-11645)

CVE-2026-11645 is a high-severity out-of-bounds (OOB) read and write vulnerability in the Google Chromium V8 JavaScript engine. This Chromium V8 OOB read write vulnerability allows an attacker to manipulate the memory of the browser process, which is a foundational step in achieving RCE. Because Chromium powers a vast array of browsers, including Chrome, Edge, and Brave, the attack surface for this flaw is immense. Attackers typically exploit these memory safety issues via malicious websites to gain Privilege Escalation on the local workstation.

Defensive Recommendations and Remediation

Given that these vulnerabilities are confirmed to be under active exploitation, defenders must move beyond standard patch cycles. The following actions are recommended:

  1. Rapid Patch Deployment: Prioritize the update of all Arista EOS devices and Cisco SD-WAN Manager instances. For Chromium, ensure that auto-update policies are enforced across the fleet to mitigate the risk of end-user compromise.
  2. Enhanced Monitoring: Update SIEM and EDR signatures to detect common post-exploitation activities associated with these platforms. For networking gear, monitor for unauthorized configuration changes or the creation of new local user accounts.
  3. Vulnerability Scanning: Use authenticated scanning to identify specific versions of Arista EOS and Cisco software. For the browser vulnerability, utilize asset management tools to verify that all installed instances of Chromium-based browsers are at the current stable patch level.

Adherence to the MITRE ATT&CK framework can help teams map these vulnerabilities to potential adversary behaviors, allowing for more precise detection engineering in the wake of these KEV additions.

Advertisement