CISA updated the Known Exploited Vulnerabilities catalogue on 9 June 2026 with three new entries covering a browser zero-day, a network management platform authentication bypass, and a network operating system privilege escalation. All three carry a 30 June 2026 remediation deadline under Binding Operational Directive 22-01.
CVE-2026-11645: Google Chrome V8 Out-of-Bounds Write
Severity: High (CVSS 8.8). Actively exploited: Yes, confirmed by Google’s threat analysis team.
CVE-2026-11645 is an out-of-bounds write in Chrome’s V8 JavaScript engine, patched in Chrome 149.0.7762.95 released simultaneously with CISA’s KEV addition. Google confirmed active exploitation before the patch was available. The vulnerability allows a remote attacker to achieve arbitrary code execution within Chrome’s renderer process through a malicious web page, with sandbox escape potential for full endpoint compromise.
This is the third V8 zero-day added to the KEV in 2026. The cadence reflects both the frequency of V8 vulnerability research by sophisticated threat actors and the high deployment density of Chrome-based browsers in enterprise environments.
Remediation: Update Chrome to version 149.0.7762.95 or later. For Chromium-based browsers (Edge, Brave, Opera), await vendor-specific updates patching the same underlying Chromium commit.
CVE-2026-20245: Cisco SD-WAN Authentication Bypass
Severity: Critical (CVSS 9.8). Affected products: Cisco vManage (SD-WAN Network Management System), Cisco IOS XE SD-WAN Software.
CVE-2026-20245 is an authentication bypass in the Cisco SD-WAN web-based management interface. An unauthenticated remote attacker can send specially crafted HTTP requests to bypass authentication and access the management API with administrative privileges.
Cisco SD-WAN / vManage is used to centralise configuration, monitoring, and policy management for enterprise SD-WAN deployments across branch offices, data centres, and cloud sites. Administrative access to vManage provides control over the entire SD-WAN fabric — traffic routing, security policy, and tunnel encryption keys.
Remediation: Apply Cisco Security Advisory cisco-sa-sdwan-auth-bypass-8cGzBUh patch. Cisco released the advisory concurrent with CISA’s KEV addition. If patching is not immediately possible, restrict access to the vManage web interface and REST API to authorised management networks only.
CVE-2026-7473: Arista EOS Privilege Escalation via Command Injection
Severity: High (CVSS 8.8). Affected products: Arista EOS (Extensible Operating System) versions 4.28 through 4.33.
CVE-2026-7473 is a command injection vulnerability in Arista EOS’s command-line interface that allows an authenticated low-privilege user to inject shell commands that execute with root privilege. Arista EOS is the network operating system deployed on Arista data centre and campus switches — common in large enterprise, cloud, and financial sector environments.
The exploitation path requires an authenticated CLI session (network operator credentials), making this a privilege escalation rather than remote exploitation vulnerability. However, in environments where Arista switch access is shared across multiple teams or where operator-level credentials have been compromised, CVE-2026-7473 allows full switch compromise including configuration access, VLAN modification, and spanning tree manipulation.
Remediation: Update to Arista EOS 4.34.0 or later, or apply the EOS security patch for affected 4.28–4.33 branches per Arista Security Advisory SA0093.
Vulnerability Management Implications
The June 9 KEV batch illustrates the breadth of the current threat landscape: a browser engine, a network management platform, and a network operating system addressed simultaneously. Effective KEV tracking requires coverage across endpoint, network, and application infrastructure — not only operating systems and servers.
For organisations using CISA’s KEV catalogue as a vulnerability prioritisation input:
- The 30 June deadline applies to federal agencies (BOD 22-01) but represents a reasonable benchmark for all organisations
- The Chrome update should be applied on a shorter timeline (within 24–48 hours) given confirmed active exploitation
- Cisco vManage and Arista EOS updates should be applied within the standard critical vulnerability window for each organisation’s network infrastructure change management process
Tracking all three KEV additions requires coordination across endpoint management teams (Chrome), network operations teams (Cisco SD-WAN, Arista EOS), and the security operations team monitoring the KEV feed — a good test of an organisation’s cross-team vulnerability management coordination.
Share this article