The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three newly identified vulnerabilities to its catalog of Known Exploited Vulnerabilities (KEV) due to active exploitation in the wild. The inclusion of these flaws, detailed in a recent announcement, signals a fresh wave of cyber threats that organizations must urgently address to maintain network security.
CISA’s KEV catalog serves as a critical resource for cybersecurity professionals, highlighting vulnerabilities that pose a significant and immediate risk to U.S. critical infrastructure and federal networks. Inclusion on this list mandates that federal civilian executive branch agencies implement available patches or mitigations by a specified deadline, underscoring the severity of these newly flagged security gaps.
Key Vulnerabilities Added to CISA’s KEV Catalog
The three vulnerabilities added to the KEV catalog include CVE-2026-20245, a flaw in Cisco Catalyst SD-WAN Manager, and CVE-2026-11645, affecting Google Chrome’s V8 engine. Additionally, CVE-2026-7473, an issue within Arista Extensible Operating System (EOS), has also been flagged for active exploitation and poses a particular challenge due to the vendor’s stance on patching.
CVE-2026-20245, rated with a CVSS score of 7.8, is an improper encoding or escaping of output vulnerability. According to reports, an authenticated, local attacker could leverage this flaw to execute arbitrary commands with root privileges. This is achieved by supplying a specially crafted file to the vulnerable system, potentially granting widespread control to malicious actors.
The second identified vulnerability, CVE-2026-11645, carries a higher CVSS score of 8.8, indicating a more severe risk. This out-of-bounds read and write vulnerability within Google Chrome’s V8 JavaScript engine could allow a remote attacker to execute arbitrary code within a sandbox. The exploitation method involves presenting a maliciously crafted HTML page to the targeted browser.
Arista EOS Flaw: No Patch Planned, Mitigations Recommended
Perhaps the most complex situation involves CVE-2026-7473 in Arista EOS, with a CVSS score of 6.9. This vulnerability stems from an incomplete comparison with missing factors, which can lead to the processing of non-configured tunnel traffic. Arista stated that on affected platforms running EOS with existing tunnel decapsulation configurations, such as VXLAN, decap-groups, or GRE tunnels, the switch can incorrectly decapsulate and forward unexpected tunneled packets.
The issue arises because the Arista switch does not adequately verify the tunnel protocol type, creating an opening for unauthorized traffic to be processed. This security defect primarily impacts the 7020R, 7280R/R2, and 7500R/R2 series of products. Crucially, exploitation requires the device to be configured as a tunnel endpoint with a specified decapsulation IP address.
Arista acknowledged that this vulnerability has been “reported as being exploited in the wild” and credited several individuals for their responsible disclosure. However, the company has indicated that no patches are planned for CVE-2026-7473. This decision is reportedly due to the potential risk of breaking existing configurations on deployed systems. Instead, Arista has provided mitigation strategies to address the risk.
The recommended mitigations involve applying Access Control Lists (ACLs). Organizations can either implement ACLs on upstream devices to selectively allow only legitimate tunnel traffic or apply them on the affected Arista devices to block malicious tunnel traffic. Both approaches aim to prevent the unexpected decapsulation and processing of unauthorized data streams, thus enhancing network security.
Federal Civilian Executive Branch (FCEB) agencies have been directed by CISA to implement the necessary fixes or employ the outlined mitigations for all three vulnerabilities by June 23, 2026. This deadline emphasizes the urgency for these entities to secure their systems against these actively exploited threats and maintain robust network security practices.