CISA added three new vulnerabilities to its Known Exploited Vulnerabilities catalog on June 9, 2026: CVE-2026-20245 (Cisco Catalyst SD-WAN Manager), CVE-2026-11645 (Google Chromium V8), and CVE-2026-7473 (Arista Extensible Operating System).
CVE-2026-20245 — Cisco Catalyst SD-WAN Manager | Root Command Execution Zero-Day
CVSS: 7.8 (High)
CWE: CWE-116 (Improper Encoding or Escaping of Output)
Patch Status: No patch available. No workarounds available.
Discovered by: Mandiant
The vulnerability resides in the command-line interface of Cisco Catalyst SD-WAN Manager and stems from insufficient validation of user-supplied input when processing file arguments. An attacker supplies a specially crafted file to the SD-WAN Manager CLI — insufficient input validation allows that file to execute arbitrary OS-level commands with root privileges.
Privilege Prerequisite and the Chain
To exploit CVE-2026-20245, an attacker must have netadmin-level credentials on the affected system. However, Cisco has confirmed that attackers are chaining CVE-2026-20245 with CVE-2026-20182 (CVSS 10.0 authentication bypass) and CVE-2026-20127 to first achieve initial access before escalating to root execution. This chaining technique effectively eliminates the privilege prerequisite in practice.
Blast Radius
Cisco confirmed limited cases in which exploitation resulted in configuration changes being pushed to downstream edge devices — meaning a single compromised SD-WAN Manager instance becomes a lever for malicious configurations to propagate across the entire SD-WAN fabric.
CVE-2026-20245 affects all Cisco SD-WAN deployment types: on-premises, Cloud-Pro, Cloud (Cisco-Managed), and FedRAMP environments.
Contextual Note
CVE-2026-20245 marks the seventh actively exploited zero-day in Cisco SD-WAN systems in 2026 alone.The pattern across this series — authentication bypass, privilege escalation, and configuration manipulation all drawn from overlapping regions of the SD-WAN codebase — suggests the product has accumulated significant security debt in components handling inter-device trust, management-plane authentication, and administrative input processing.
Detection
Cisco’s guidance specifically instructs customers to preserve evidence by running the request admin-tech command from each SD-WAN control component before upgrading, because collecting logs after remediation can erase or rotate the evidence needed to confirm whether the control plane was abused. Cisco has provided indicators of compromise in the form of specific log entries in its advisory.
Remediation: No standalone patch for CVE-2026-20245. Cisco instructs customers to upgrade to the fixed software documented in its May 2026 Catalyst SD-WAN advisory for CVE-2026-20182, then verify edge-device configuration state.
CVE-2026-11645 — Google Chromium V8 | Out-of-Bounds Read/Write Zero-Day
CVSS: 8.8 (High)
Affected: Chrome prior to 149.0.7827.103
Fixed In: Chrome 149.0.7827.103 (Windows/macOS), 149.0.7827.102 (Linux)
Fifth Chrome Zero-Day in 2026
CVE-2026-11645 is an out-of-bounds read and write vulnerability in V8, Chrome’s JavaScript and WebAssembly engine. It allows a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page. Google has acknowledged that an exploit exists in the wild.
Root Cause — TurboFan JIT Compiler
The flaw arises from an incorrect bounds-check elimination during JIT compilation by V8’s TurboFan high-tier optimizing compiler. The out-of-bounds read/write produces memory corruption that grants the attacker exploitation primitives inside the sandboxed renderer process.
Exploitation Mechanics and Chaining
Successful exploitation can allow an attacker to steal sensitive session data, read cookies, intercept active user transactions, and capture input on currently open tabs. To achieve full system compromise, CVE-2026-11645 must be chained with a secondary vulnerability — such as an OS kernel flaw or a browser IPC broker vulnerability — to escape the sandbox.
Out-of-bounds memory access can also help bypass protections such as ASLR, potentially making a second vulnerability easier to weaponise when chained.
Scope
The Chromium V8 vulnerability affects multiple browsers utilising the Chromium engine, including Google Chrome, Microsoft Edge, and Opera — not just Chrome. Enterprise teams managing multi-browser environments must account for Edge and Opera patching separately alongside Chrome fleet updates.
The same Chrome 149 update delivers 74 total security fixes, including 17 rated critical. Related V8 vulnerabilities CVE-2026-11649 and CVE-2026-11650, a type confusion in Bindings (CVE-2026-11662), and a lifecycle flaw in SVG objects (CVE-2026-11688) are also addressed in this release.
Detection: No public IOCs or exploit chain specifics have been disclosed. Google has withheld additional technical details as standard practice until the majority of users are updated. Detection focus should be on identifying unmanaged or unpatched Chrome installations and enforcing a relaunch post-update across managed fleets — old Chrome processes that remain running after an update have not applied the fix.
Remediation: Update Chrome to 149.0.7827.103 (Windows/macOS) or 149.0.7827.102 (Linux). Verify Edge and Opera patch status independently.
CVE-2026-7473 — Arista EOS | Tunnel Decapsulation Bypass
CVSS: 6.9 (Medium)
CWE: CWE-20 (Incomplete Comparison with Missing Factors)
Patch Status: No patch planned
CVE-2026-7473 affects Arista EOS platforms with tunnel decapsulation configurations enabled — including VXLAN, decap-groups, or GRE tunnel interfaces. The core issue is that the affected switch fails to verify the tunnel protocol type, causing it to incorrectly decapsulate and forward unexpected tunneled packets if their destination IP matches the configured decapsulation IP.
Affected Hardware
Affected platforms include the 7020R Series, 7280R/R2 Series, 7500R/R2 Series, 7280R3 Series (limited exposure to IP-in-IPv6 and GUEv6), and 7500R3 Series.
Why This Matters
The practical impact of tunnel protocol bypass on data centre switching infrastructure is traffic steering and traffic interception. An attacker who can inject crafted tunneled packets into the network can manipulate forwarding decisions — directing traffic to attacker-controlled destinations or bypassing network segmentation controls that rely on tunnel-type awareness for enforcement.
Arista has confirmed no patch is planned. CISA’s guidance is to apply vendor-supplied mitigations or discontinue use of the vulnerable devices. Organisations running affected Arista hardware should immediately review Arista Security Advisory 0137 for mitigation configuration guidance and assess whether any untrusted traffic sources can reach tunnel-decapsulation-enabled interfaces.
