Cisco SD-WAN and Network Infrastructure: A Compounding Attack Surface

Two separate Cisco Catalyst SD-WAN Manager vulnerabilities — CVE-2026-20262 (path traversal, deadline June 29) and CVE-2026-20245 (improper output encoding, deadline June 23) — landed in KEV days apart, and their combination tells a more serious story than either entry alone.

CVE-2026-20245 requires local, authenticated access to execute arbitrary commands as root via a crafted file. CVE-2026-20262 enables an authenticated remote attacker to create or overwrite arbitrary files on the filesystem. Chain these two: an attacker who gains any authenticated foothold remotely — through phishing, credential stuffing, or a compromised service account — can use the path traversal to plant a crafted file in the right location, then trigger the output encoding flaw to achieve root-level code execution. The result is an authenticated-but-low-barrier path to full SD-WAN controller compromise, impacting the routing policies, VPN configurations, and network segmentation of every branch governed by that Manager instance.

Federal contractors and operators of distributed WAN infrastructure must prioritize CVE-2026-20245 first (earlier deadline), audit SD-WAN Manager authentication logs for anomalous file operations, and enforce MFA on all management-plane access immediately. Treat the SD-WAN Manager as a Tier-1 critical asset if it governs more than five branch sites or touches classified network segments.

Separately, CVE-2026-7473 (Arista EOS) — deadline June 23 — affects network switching infrastructure at the data-plane level. The incomplete tunnel decapsulation comparison causes EOS to forward packets it should discard, potentially enabling traffic injection or bypass of microsegmentation controls. While exploitation prerequisites are more complex, any organization relying on Arista EOS for zero-trust segmentation enforcement should prioritize this patch and review tunnel interface configurations for unexpected decapsulation endpoints.

AI Infrastructure and the Browser Attack Surface: Expanding Threat Frontiers

Two entries this cycle highlight emerging and persistently exploited attack surfaces that extend well beyond traditional enterprise perimeters.

CVE-2026-42271 (BerriAI LiteLLM) — deadline June 22 — is a command injection flaw that any authenticated user, including low-privilege internal API key holders, can exploit to run arbitrary OS commands on the LiteLLM host. LiteLLM is widely deployed as an internal gateway for routing prompts to multiple LLM providers, meaning a compromised LiteLLM host sits in a privileged position with access to API keys for OpenAI, Anthropic, Azure OpenAI, and other backends. Exploitation here isn't just about one server — it's about exfiltrating every AI provider credential in the environment. DevOps and MLOps teams should patch immediately, audit all issued API keys, rotate LLM provider credentials, and review whether LiteLLM is deployed with least-privilege OS user accounts.

CVE-2026-11645 (Google Chromium V8) — deadline June 23 — is an out-of-bounds read/write vulnerability enabling arbitrary code execution inside the browser sandbox via a crafted HTML page. This affects Chrome, Edge, Opera, and any Electron-based applications embedding Chromium. The sandbox escape risk is the critical factor: weaponized drive-by pages or malicious ads targeting employees in phishing campaigns can deliver this payload passively. Push Chrome/Edge updates via enterprise policy management tools immediately, and verify that Electron-based internal tooling is also updated — these applications are frequently overlooked in browser patch cycles.

Remediation Priority Summary

| Priority | CVE | Deadline | Key Risk | |---|---|---|---| | 🔴 Immediate | CVE-2026-10520 | Overdue (6/14) | Unauthenticated root RCE — Ivanti Sentry | | 🔴 Immediate | CVE-2026-35273 | Today (6/15) | Unauthenticated full takeover — PeopleSoft | | 🟠 Urgent | CVE-2026-54420 | 6/18 | Tenant isolation breach — LiteSpeed cPanel | | 🟡 High | CVE-2026-20245 | 6/23 | Authenticated root RCE — Cisco SD-WAN | | 🟡 High | CVE-2026-42271 | 6/22 | Command injection + AI credential exposure — LiteLLM | | 🟡 High | CVE-2026-11645 | 6/23 | Browser sandbox RCE — Chromium V8 | | 🟡 High | CVE-2026-7473 | 6/23 | Network segmentation bypass — Arista EOS | | 🟢 Elevated | CVE-2026-20262 | 6/29 | File overwrite enabling chain attacks — Cisco SD-WAN |

Sources: CISA KEV Catalog · CISA BOD 26-04 · Cisco Security Advisories · Ivanti Security Advisories · Oracle Critical Patch Update · Google Chrome Releases · Arista Security Advisories · BerriAI LiteLLM GitHub Security