U.S. CISA Adds Cisco Catalyst SD-WAN, Arista Extensible Operating System (EOS), and Google Chromium V8 Flaws to Its Known Exploited Vulnerabilities Catalog

The CISA Known Exploited Vulnerabilities (KEV) catalog has become a barometer for the most pressing cyber threats facing both public and private sectors. By publishing actively exploited flaws, the agency forces organizations to prioritize patching efforts that might otherwise be delayed. The recent inclusion of three high‑impact bugs—spanning network operating systems, a major web browser engine, and a widely deployed SD‑WAN solution—underscores a broader trend: attackers are increasingly targeting the foundational layers of enterprise connectivity and user interaction.

Arista’s EOS vulnerability (CVE‑2026‑7473) exploits incomplete tunnel‑decapsulation checks, allowing malicious packets to bypass protocol validation and potentially reroute traffic or bypass security controls. Google’s V8 out‑of‑bounds read/write bug (CVE‑2026‑11645) represents the fifth Chrome zero‑day exploited in 2026, giving threat actors a pathway to remote code execution within the browser sandbox. Meanwhile, Cisco’s SD‑WAN Manager flaw (CVE‑2026‑20245) grants root‑level command execution to any attacker who gains net‑admin credentials—a scenario made easier by prior credential‑theft exploits. None of these issues have publicly released patches, heightening urgency for immediate mitigation.

CISA’s Binding Operational Directive 22‑01 mandates that federal agencies patch or otherwise mitigate these vulnerabilities by June 23, 2026, a deadline that private firms should mirror to avoid regulatory scrutiny and operational risk. Organizations should conduct rapid inventory checks to confirm exposure, deploy compensating controls such as network segmentation and strict access controls, and monitor vendor advisories for emergency patches. In an environment where supply‑chain attacks and zero‑day exploits are proliferating, a disciplined, proactive response to KEV listings is a critical component of any robust cybersecurity strategy.