KEV Intelligence Brief — June 11, 2026

Distribution: Federal Contractors · DevOps / Platform Engineering · Security Operations Leadership Prepared: Thursday, June 11, 2026 | Source: CISA Known Exploited Vulnerabilities Catalog

Eight new entries landed in the KEV catalog over the past week. Read together, they reveal three converging threat patterns: attackers pressing hard on network perimeter and infrastructure control planes, a growing exploitation surface in AI/ML tooling and e-commerce platforms, and a cluster of deadlines—several already past—that demand immediate triage.

Perimeter Under Pressure: VPN, SD-WAN, and Network OS

The highest-urgency entry in this batch is CVE-2026-50751, affecting the Check Point Security Gateway. Its patch deadline was today—June 11, 2026—meaning federal civilian agencies are already out of compliance if they haven't acted. The vulnerability lives in the IKEv1 key exchange implementation and requires no credentials whatsoever: an unauthenticated remote attacker can bypass authentication entirely and establish a valid remote-access VPN tunnel. This is not a privilege escalation story; this is an adversary walking through the front door. Organizations still running IKEv1 for remote access should treat this as a fire drill. Disable IKEv1 where IKEv2 is available, enforce certificate-based authentication as a compensating control, and audit VPN session logs for anomalous tunnel establishments going back at least 30 days.

Complementing that entry is CVE-2026-20245 in Cisco Catalyst SD-WAN Manager (formerly vManage), with a deadline of June 23. The attack requires local authentication, but in SD-WAN environments that threshold is often lower than it sounds—service accounts, API tokens, and operator credentials circulate broadly. Exploitation yields arbitrary command execution as root on the management plane, which in an SD-WAN architecture translates to policy control over an entire WAN fabric. Treat this as a lateral-movement amplifier: assume any compromised SD-WAN credential is now a root-level threat. Rotate all vManage/SD-WAN Manager credentials immediately, restrict management-plane access to dedicated jump hosts, and apply the Cisco advisory patch before June 23.

Rounding out this cluster, CVE-2026-7473 affects Arista Extensible Operating System (EOS)—also due June 23. The flaw causes switches to incorrectly decapsulate and forward unexpected tunneled packets when the destination IP matches the configured decapsulation address. While this may initially read as a routing anomaly, in practice it enables traffic injection and potential bypass of network segmentation controls. Data center and campus teams running Arista gear should cross-reference affected EOS versions against Arista's security advisory and assess whether network segmentation boundaries—particularly those protecting OT or sensitive enclaves—are exposed.

Browser, AI Tooling, and E-Commerce: The Expanding Application Attack Surface

CVE-2026-11645 is a classic V8 out-of-bounds read/write in Google Chromium, deadline June 23, affecting Chrome, Edge, and Opera simultaneously. The delivery mechanism is a crafted HTML page—meaning phishing, malvertising, and watering-hole campaigns are all viable vectors. The sandbox escape framing is important: this isn't theoretical post-exploitation, it's the exploitation step itself. Endpoint teams should push browser updates via policy enforcement rather than relying on user-initiated updates. For Chromium-embedded applications (Electron apps, kiosk systems, internal tooling), assess whether those runtimes consume independent update channels and act accordingly.

Far more novel—and arguably the most strategically significant entry this cycle—is CVE-2026-42271 in BerriAI LiteLLM, deadline June 22. LiteLLM is an open-source proxy layer widely deployed in enterprise AI/LLM infrastructure to route requests across OpenAI, Anthropic, Azure AI, and similar backends. The command injection flaw is exploitable by any authenticated user, including holders of low-privilege internal-user API keys. In most LiteLLM deployments, internal-user keys are distributed liberally to developers and CI/CD pipelines—effectively making this a near-unauthenticated RCE against the AI infrastructure layer. Organizations running LiteLLM in production must patch immediately, audit all issued API keys, and consider whether the host running LiteLLM has network access to sensitive AI model backends or internal data sources that would constitute a secondary blast radius.

CVE-2026-45247 in Mirasvit Full Page Cache Warmer for Magento/Adobe Commerce had a patch deadline of June 6—already overdue. Unauthenticated attackers can supply a crafted serialized PHP object via the CacheWarmer cookie to achieve remote code execution. Magento environments are perennially targeted for payment skimming and credential harvesting. If you're running this extension unpatched, assume the environment is compromised, conduct a full integrity check of storefront PHP files, and rotate all payment processor API keys and admin credentials before patching.

Deadline Watch: Overdue Entries and a 16-Year-Old Ghost

Two entries warrant specific attention for deadline management. CVE-2026-28318 in SolarWinds Serv-U (deadline June 19) allows unauthenticated crash of the file-transfer service via a specially crafted POST request using Content-Encoding: deflate. While classified as resource consumption rather than RCE, denial-of-service against a file-transfer gateway in a federal contractor environment can disrupt mission-critical operations. Patch or isolate Serv-U management interfaces from internet-facing exposure.

Finally, CVE-2010-0249—a use-after-free in Microsoft Internet Explorer with a same-day deadline of June 3—has already passed. The 16-year gap between discovery and KEV cataloging signals active exploitation detected in the wild against legacy environments, likely OT networks, kiosk systems, or embedded Windows installations that never shed IE. CISA's guidance is unambiguous: discontinue use. If operational constraints prevent immediate removal, isolate affected systems from all untrusted network paths and escalate to leadership for emergency asset retirement planning.

Sources: CISA KEV Catalog · Cisco Security Advisory — SD-WAN Manager · Check Point Security Advisory CVE-2026-50751 · Arista Security Advisory · Google Chrome Releases · SolarWinds Security Advisories · CISA BOD 22-01