KEV Intelligence Brief — June 9, 2026

Prepared for: Federal Contractors · DevOps & Platform Engineering · Security Operations Leadership Brief Date: Tuesday, June 9, 2026 | Entries Covered: 8 CVEs added June 3–9, 2026

CISA's latest KEV additions span network edge infrastructure, AI middleware, browser engines, and legacy Windows components — a cross-stack sweep that signals broad, opportunistic exploitation rather than a single coordinated campaign. Several deadlines have already passed or fall within 72 hours. Treat this brief as an immediate action checklist, not a reading assignment.

Deadline Watch: Edge Infrastructure and VPN Under Active Fire

Three entries targeting network perimeter and SD-WAN infrastructure demand the shortest response windows and carry the highest organizational blast radius.

CVE-2026-50751 (Check Point Security Gateway) is the most urgent entry in this batch. CISA's patch deadline was June 11 — two days from now. The vulnerability is an improper authentication flaw in the IKEv1 key exchange implementation, meaning an unauthenticated remote attacker can bypass password-based authentication entirely and establish a valid remote-access VPN tunnel. This is not a privilege escalation — it is a perimeter elimination. Organizations running Check Point Security Gateway for remote access should treat this as a potential active-breach condition. If patching is not achievable before Thursday, isolate the affected gateway, force-terminate active VPN sessions, rotate all associated service credentials, and verify no lateral movement has occurred from existing VPN-connected sessions. IKEv1 deprecation should be accelerated regardless of patch status.

CVE-2026-20245 (Cisco Catalyst SD-WAN Manager) and CVE-2026-7473 (Arista EOS) both carry a June 23 deadline. The Cisco vulnerability requires local authenticated access to exploit — but in SD-WAN environments, "local" is a relative term. A compromised management plane user or misconfigured RBAC policy is all that separates an attacker from root command execution via a crafted file. Audit who holds authenticated access to vManage consoles immediately. For Arista EOS, the tunneled packet decapsulation flaw is subtle but dangerous in multi-tenant or cloud-interconnect environments: an attacker who can craft packets destined for the switch's decapsulation IP can manipulate forwarding behavior in ways that may bypass segmentation controls. Prioritize EOS patching on any switches handling VXLAN or GRE termination in sensitive network zones.

CVE-2026-28318 (SolarWinds Serv-U) carries a June 19 deadline and requires no authentication whatsoever. A single crafted POST request with a Content-Encoding: deflate header crashes the Serv-U service — an unauthenticated denial-of-service against a file transfer platform. Given SolarWinds' historical targeting by sophisticated threat actors, organizations should assume this is reconnaissance infrastructure for follow-on access attempts, not merely a nuisance DoS. If Serv-U is internet-facing, place it behind authenticated reverse proxy controls immediately and restrict direct access to the management interface.

AI Middleware, Browser Engines, and the Expanding Developer Attack Surface

Two entries reflect an increasingly prominent pattern: adversaries targeting the software delivery and AI toolchain layers that sit beneath production applications.

CVE-2026-42271 (BerriAI LiteLLM) is the most consequential entry for teams running AI gateway or LLM proxy infrastructure. The command injection vulnerability can be triggered by any authenticated user, including holders of low-privilege internal-user API keys — a credential tier that many teams distribute broadly for internal testing and development. A compromised developer laptop or a leaked .env file is sufficient to achieve arbitrary command execution on the LiteLLM host. The patch deadline was June 22. Beyond patching, audit every issued API key, revoke any keys not actively in use, and ensure LiteLLM hosts are not running with elevated OS privileges. Container environments should enforce strict resource isolation and deny host-path mounts for LiteLLM services.

CVE-2026-11645 (Google Chromium V8) is an out-of-bounds read/write flaw enabling sandbox-escaping remote code execution via a crafted HTML page, with a June 23 deadline. This affects Chrome, Microsoft Edge, and Opera wherever those browsers have not been updated. For federal contractors with BOD 22-01 obligations, browser patching is often managed through endpoint management platforms — verify that auto-update policies are enforcing, not merely recommending, the latest stable channel. Managed device fleets that have not received a V8 patch in the last week should be flagged in vulnerability scan output immediately.

Two Overdue Entries: Don't Let Passed Deadlines Become Forgotten Debt

CVE-2026-45247 (Mirasvit Full Page Cache Warmer) had a patch deadline of June 6 — three days ago. This deserialization vulnerability targeting the CacheWarmer cookie allows unauthenticated attackers to achieve RCE on Magento/Adobe Commerce environments. If you are running this extension and have not patched, assume the system may be compromised. Conduct a full web shell audit of the affected web root, review server-side logs for anomalous PHP object injection patterns, and invalidate all session tokens.

CVE-2010-0249 (Microsoft Internet Explorer) is a 16-year-old use-after-free vulnerability that CISA added — and simultaneously marked as overdue on June 3. Its presence signals that at least one federal environment is still running IE in a context where this 2010-era exploit is being actively leveraged. The required action is explicit: discontinue use. If IE cannot be immediately removed due to legacy application dependencies, isolate the host from all network access and initiate an emergency application modernization request.

All entries carry BOD 22-01 applicability for federal agencies. Organizations with cloud-hosted instances of any affected products should apply vendor-specific cloud guidance in parallel with on-premises remediation.

Sources: CISA KEV Catalog · Cisco Security Advisory — SD-WAN Manager · Check Point Security Advisory Portal · Arista Security Advisories · Google Chrome Releases Blog · SolarWinds Security Vulnerability Response · CISA Alert AA22-011A — BOD 22-01 Guidance