Network Infrastructure Under Coordinated Pressure: Cisco SD-WAN and Arista EOS

Two separate Cisco Catalyst SD-WAN Manager vulnerabilities entered the KEV catalog within six days of each other, and they compound one another in a realistic attack chain.

CVE-2026-20245 (added June 9, deadline June 23) is an improper encoding or escaping vulnerability allowing an authenticated local attacker to execute arbitrary commands as root via a crafted file. CVE-2026-20262 (added June 15, deadline June 29) is a path traversal flaw that lets an authenticated remote attacker create or overwrite any file on the system. Neither requires authentication escalation if an attacker already holds low-privilege credentials — and the path traversal flaw could be used to stage the malicious file that CVE-2026-20245 then executes. Organizations managing SD-WAN through a centralized vManage console should assume that a single set of compromised credentials can translate to full infrastructure control. Rotate SD-WAN Manager credentials now, enforce MFA on the management interface, and restrict console access to jump hosts or dedicated management VLANs. Both carry June 23 and June 29 deadlines, but given the chaining risk, treat the earlier deadline as controlling.

CVE-2026-7473 (Arista Extensible Operating System), also with a June 23 deadline, introduces a different but equally concerning network-layer risk. The incomplete comparison flaw causes Arista switches to incorrectly decapsulate and forward tunneled packets whose destination IP matches the switch's own decapsulation address. In practice, this can allow an attacker to inject unexpected traffic into protected network segments — a primitive that supports lateral movement and network segmentation bypass. Data center operators and federal network teams running Arista EOS should audit tunnel decapsulation configurations and apply the vendor patch before June 23.

Browser Engine and CMS Exposure: Supply-Chain Surface Area at Scale

CVE-2026-11645 (Google Chromium V8), added June 9 with a June 23 deadline, is an out-of-bounds read and write vulnerability enabling arbitrary code execution inside a sandbox via a crafted HTML page. The scope extends beyond Chrome — any browser or application embedding the Chromium engine, including Microsoft Edge and Opera, is potentially affected. For federal agencies and contractors operating under BOD 26-04, browser patching is non-negotiable. Push Chrome and Edge updates via enterprise management tooling immediately; do not wait for users to self-update. Verify that auto-update mechanisms have not been disabled by policy or prior misconfiguration.

Taken alongside CVE-2026-48907 — the Joomla Content Editor webshell primitive — this week's catalog reflects a recurring pattern: attackers are targeting the delivery and rendering layer simultaneously. A compromised Joomla site hosting a malicious page becomes a credible browser exploitation vector when Chromium remains unpatched on visiting endpoints. These two vulnerabilities, from different vendors and product categories, operate as complementary stages in a client-side compromise chain.

Summary Prioritization

| CVE | Product | Deadline | Status | |---|---|---|---| | CVE-2026-10520 | Ivanti Sentry | June 14 | Overdue | | CVE-2026-35273 | Oracle PeopleSoft | June 15 | Overdue | | CVE-2026-54420 | LiteSpeed cPanel Plugin | June 18 | Due Today | | CVE-2026-48907 | Widget Factory Joomla CE | June 19 | Due Tomorrow | | CVE-2026-11645 | Google Chromium V8 | June 23 | 5 days | | CVE-2026-20245 | Cisco SD-WAN Manager | June 23 | 5 days | | CVE-2026-7473 | Arista EOS | June 23 | 5 days | | CVE-2026-20262 | Cisco SD-WAN Manager | June 29 | 11 days |

Sources: CISA KEV Catalog · CISA BOD 26-04 · Cisco Security Advisories · Ivanti Security Advisory Portal · Oracle Critical Patch Update · Arista Security Advisories · Google Chrome Releases · LiteSpeed Technologies Security Notices