Network Infrastructure and SD-WAN: Elevated Risk Across the Perimeter

Three entries this week target the network fabric itself — the routing, switching, and WAN orchestration layer that most organizations monitor less rigorously than endpoint or application stacks.

CVE-2026-20245 (Cisco Catalyst SD-WAN Manager) involves an improper output escaping vulnerability that allows an authenticated local attacker to escalate to root by supplying a crafted file. While the "authenticated, local" qualifier may tempt some teams to deprioritize this, SD-WAN Manager's administrative plane is a crown-jewel target: control-plane access translates directly to traffic manipulation across all connected branch sites. The realistic threat model here is post-initial-access privilege escalation — patch by June 23 and audit administrative account activity on vManage/SD-WAN Manager instances now.

CVE-2026-7473 (Arista EOS) is an incomplete comparison vulnerability in tunnel decapsulation logic, allowing unexpected tunneled packets with a matching destination IP to be decapsulated and forwarded incorrectly. In high-security environments — government, financial services, defense contractors — this kind of packet-handling flaw in core switching infrastructure represents a covert lateral movement or traffic injection risk that perimeter controls will not catch. Arista EOS operators should apply vendor guidance before June 23 and review tunnel interface configurations for unexpected or legacy encapsulation protocols.

Taken together, these two entries reinforce a consistent pattern: network control planes are under active adversary interest, and the assumption that infrastructure devices are harder to target than application servers is no longer operationally sound.

Developer Toolchains and End-User Browsers: The AI Stack Joins a Familiar Problem Set

CVE-2026-42271 (BerriAI LiteLLM) is a notable entry that signals expanding KEV coverage into AI/LLM middleware. This command injection flaw allows any authenticated user — including low-privilege internal-user key holders — to execute arbitrary commands on the host. LiteLLM is widely deployed as a proxy and load balancer across heterogeneous LLM API backends in enterprise AI pipelines. The threat model is insider threat amplification: any developer or service account with an API key becomes a potential RCE vector. Teams running LiteLLM in shared or multi-tenant environments should treat this as a critical isolation problem, not just a patch exercise. Rotate all API keys post-remediation and audit key issuance policies. Deadline is June 22.

CVE-2026-11645 (Google Chromium V8) is a cross-browser out-of-bounds read/write vulnerability exploitable via a crafted HTML page that achieves sandbox escape. This affects Chrome, Edge, Opera, and any Chromium-derived browser — meaning virtually every enterprise desktop. Apply browser updates immediately; browser patch cycles are typically fast, and the June 23 deadline should be achievable well in advance through standard patch management tooling.

Finally, CVE-2010-0249 (Microsoft Internet Explorer) — a 16-year-old use-after-free vulnerability — has been added with a same-day deadline of June 3, already passed. Its inclusion signals active exploitation in legacy environments. If Internet Explorer is present anywhere in your environment, it should not be: remove it, enforce policy blocking IE-based rendering via Group Policy, and treat any system still running IE as potentially compromised pending investigation.

Sources: CISA KEV Catalog · CISA BOD 22-01 · CISA BOD 26-04 · Ivanti Security Advisory – Sentry · Cisco Security Advisory – SD-WAN Manager · Check Point Security Advisory · Arista Security Advisory – EOS · SolarWinds Security Advisory – Serv-U · Google Chrome Releases