CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
The Hacker NewsArchived Jun 10, 2026✓ Full text saved
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation. The list of vulnerabilities is as follows - CVE-2026-20245 (CVSS score: 7.8) - An improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager that could allow an
Full text archived locally
✦ AI Summary· Claude Sonnet
CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
Ravie LakshmananJun 10, 2026Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation.
The list of vulnerabilities is as follows -
CVE-2026-20245 (CVSS score: 7.8) - An improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
CVE-2026-11645 (CVSS score: 8.8) - An out-of-bounds read and write vulnerability in Google Chrome V8 that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-7473 (CVSS score: 6.9) - An incomplete comparison with missing factors vulnerability in Arista Extensible Operating System (EOS) that could be exploited to process non-configured tunnel traffic.
No Patch Planned for Exploited Arista EOS Flaw
"On affected platforms running Arista EOS where a tunnel decapsulation configuration - such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface - is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packets with a destination IP matching its configured decapsulation IP," Arista said.
"This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic."
The security defect mainly impacts 7020R, 7280R/R2, and 7500R/R2 series products. However, for successful exploitation to occur, the device must be configured as a tunnel endpoint with a decapsulation IP, such as a VXLAN VTEP, a GRE tunnel endpoint, or with an IP decap-group.
The network equipment company acknowledged that the vulnerability has been "reported as being exploited in the wild," crediting Comcast's Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis for responsibly disclosing it.
Despite this, Arista said no patches are being planned to address CVE-2026-7473, citing risks that doing so could break existing configurations on deployments. The company has outlined mitigations to address the issue.
"There are two broad approaches to mitigate this issue - (1) applying ACLs on upstream devices or (2) applying ACLs on the devices where the unexpected decapsulation is happening," Arista said. "In both cases, the idea is to either selectively allow only legitimate tunnel traffic or to selectively block malicious tunnel traffic."
Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the necessary fixes or mitigations by June 23, 2026, to counter the threat posed by the three vulnerabilities.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Arista, CISA, cisco, cybersecurity, Google Chrome, network security, Risk management, Software Security, Threat Intelligence, Vulnerability
⚡ Top Stories This Week
Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public
⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories
New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration
Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes
New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare
Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI
ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories
New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing
AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs
One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack
Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens
Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag
Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)
Load More ▼
⭐ Featured Resources
See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]
[Guide] Transform Network Operations with Intelligent Workflows
Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis
Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale