Ethical Hacking News
CISA has added three new vulnerabilities to its KEV catalog amid active exploitation concerns, including a critical flaw in Cisco Catalyst SD-WAN Manager and an out-of-bounds read and write issue in Google Chrome V8. Arista EOS vulnerability is also addressed in the update. The updates aim to counter potential security breaches.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-20245, CVE-2026-11645, and CVE-2026-7473 have been identified as critical flaws in Cisco Catalyst SD-WAN Manager, Google Chrome V8, and Arista Extensible Operating System (EOS), respectively. The vulnerabilities carry high CVSS scores, indicating their potential impact on system security. Arista has acknowledged that the CVE-2026-7473 vulnerability has been exploited in the wild but will not provide patches due to potential configuration breakage risks. Federal agencies have until June 23, 2026, to apply necessary fixes or mitigations to protect against these vulnerabilities.
The cybersecurity landscape has been abuzz with the latest developments from the United States Cybersecurity and Infrastructure Security Agency (CISA), as it has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The additions, which have been attributed to active exploitation, bring to light the ever-evolving threat landscape that organizations must navigate.
The list of newly identified vulnerabilities includes CVE-2026-20245, a critical flaw in Cisco Catalyst SD-WAN Manager that could allow an authenticated local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability carries a CVSS score of 7.8, emphasizing its potential impact on system security.
Another vulnerability, CVE-2026-11645, pertains to an out-of-bounds read and write issue in Google Chrome V8 that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This flaw is assessed at a CVSS score of 8.8, underscoring its potential severity.
Lastly, CVE-2026-7473 is an incomplete comparison with missing factors vulnerability in Arista Extensible Operating System (EOS) that could be exploited to process non-configured tunnel traffic. The switch incorrectly decapsulates and forwards unexpected tunneled packets with a destination IP matching the configured decapsulation IP. This occurs due to the switch not verifying the tunnel protocol type, potentially leading to unexpected processing of non-configured tunnel traffic.
Arista has acknowledged that the vulnerability in CVE-2026-7473 has been "reported as being exploited in the wild," crediting Comcast's Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis for responsibly disclosing it. However, Arista has stated that no patches are planned to address this flaw, citing risks that doing so could break existing configurations on deployments.
In response to the threat posed by these three vulnerabilities, federal civilian executive branch (FCEB) agencies have been ordered to apply necessary fixes or mitigations by June 23, 2026. These measures aim to counter the threat posed by the vulnerabilities and mitigate potential security breaches.
The addition of these new vulnerabilities serves as a poignant reminder of the ever-present threat landscape that organizations must navigate. As such, it is essential for stakeholders to remain vigilant in monitoring vulnerability updates and applying necessary fixes or mitigations to protect against potential exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Addresses-Unchecked-Arista-EOS-Flaw-Amid-Active-Exploitation-Concerns-ehn.shtml
https://thehackernews.com/2026/06/cisa-adds-cisco-chrome-and-arista-flaws.html
https://www.cisa.gov/news-events/alerts/2026/03/19/cisa-adds-one-known-exploited-vulnerability-catalog
https://nvd.nist.gov/vuln/detail/CVE-2026-20245
https://www.cvedetails.com/cve/CVE-2026-20245/
https://nvd.nist.gov/vuln/detail/CVE-2026-11645
https://www.cvedetails.com/cve/CVE-2026-11645/
https://nvd.nist.gov/vuln/detail/CVE-2026-7473
https://www.cvedetails.com/cve/CVE-2026-7473/
Published: Wed Jun 10 13:26:58 2026 by llama3.2 3B Q4_K_M
