Network Fabric at Risk: SD-WAN, EOS, and Lateral Movement Enablement

Two infrastructure-layer vulnerabilities this period target the routing and switching fabric that underpins enterprise and carrier networks, compounding risk for organizations that rely on software-defined networking or cloud-managed WAN.

CVE-2026-20245 (Cisco Catalyst SD-WAN Manager) involves an improper output encoding flaw that allows an authenticated local attacker to execute commands as root via a crafted file. While the local authentication requirement reduces remote exploitation surface, SD-WAN Manager nodes are frequently administered by third-party MSPs and contractors — broadening the pool of principals who could abuse this. In a compromised MSP scenario, this becomes a supply-chain lever. Patch deadline is June 23; prioritize patching on any SD-WAN Manager node accessible to external administrators or shared service accounts.

CVE-2026-7473 (Arista Extensible Operating System) is technically subtle but strategically significant. Arista EOS incorrectly decapsulates and forwards tunneled packets with destination IPs matching the device's own decapsulation configuration. This incomplete comparison logic can be abused to inject traffic through segmentation boundaries that operators believe are enforced. In data center and cloud-on-ramp environments where Arista EOS underpins micro-segmentation, this is a policy bypass, not merely a routing anomaly. Deadline is also June 23. Until patched, audit tunnel decapsulation configurations and validate that traffic inspection controls sit out-of-band from affected switching paths.

Expanding Attack Surface: Browser Engines, AI Middleware, and File Transfer Services

This week's catalog also captures three increasingly common target categories: end-user browser engines exploited through crafted content, AI/LLM infrastructure lacking hardened privilege models, and file transfer services used as initial access footholds.

CVE-2026-11645 (Google Chromium V8) is a sandbox-escaping out-of-bounds read/write exploitable via a crafted HTML page. Because V8 underpins Chrome, Edge, and Opera, the effective exposed population is nearly universal. Deadline is June 23. Browser patching should be handled through automated update enforcement — if your organization relies on manual browser patching cycles, that process is already inadequate for this threat class. Verify that Chrome and Edge fleet versions are at or above the vendor's remediation build via endpoint management tooling.

CVE-2026-42271 (BerriAI LiteLLM) is a landmark entry: CISA's formal acknowledgment that AI gateway middleware is now active exploitation terrain. Any authenticated user — including low-privilege internal API key holders — can inject commands and execute arbitrary code on the host. LiteLLM is widely deployed as a unified proxy layer over multiple LLM providers in enterprise AI platforms. The threat model here includes insider risk and compromised API keys. Patch by June 22, audit all issued API keys, and enforce least-privilege key scoping immediately. Do not assume that internal-only deployments are safe; lateral movement from adjacent compromised services is a realistic vector.

CVE-2026-28318 (SolarWinds Serv-U) demonstrates that denial-of-service primitives earn KEV status when they are unauthenticated and reliably reproducible. A crafted POST using Content-Encoding: deflate crashes the Serv-U service without any credentials. Beyond availability impact, service crashes can disrupt audit logging, create detection blind spots, and precede follow-on exploitation. Deadline is June 19. SolarWinds Serv-U has appeared in KEV previously in contexts far more severe; treat any exposure of this service to untrusted networks as unacceptable until patched.

Sources: CISA KEV Catalog · CISA BOD 26-04 · Oracle Security Alerts · Ivanti Security Advisories · Google Chrome Releases · Cisco Security Advisories · Arista Security Advisories · Check Point Security Advisories · SolarWinds Security Advisories · BerriAI LiteLLM GitHub