CISA Adds Three Known Exploited Vulnerabilities to Catalog (CVE-2026-7473, CVE-2026-11645, CVE-2026-20245)

What Happened

CISA has warned that three software vulnerabilities are currently being used by attackers in the wild. These flaws affect Arista operating systems, Google Chromium's V8 engine, and Cisco Catalyst SD-WAN Manager. Because these vulnerabilities are actively being exploited, they pose a significant risk to organizations. System administrators should apply the latest security updates from the respective vendors as soon as possible.

Key Takeaways

• CISA added three new vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
• The vulnerabilities affect Arista Extensible Operating System (EOS), Google Chromium V8, and Cisco Catalyst SD-WAN Manager.
• Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities under BOD 22-01.
• All organizations are strongly urged to prioritize timely remediation of these vulnerabilities to reduce exposure to cyberattacks.

Affected Systems

• Arista Extensible Operating System (EOS)
• Google Chromium V8
• Cisco Catalyst SD-WAN Manager

Vulnerabilities (CVEs)

• CVE-2026-7473
• CVE-2026-11645
• CVE-2026-20245

Attack Chain

Malicious cyber actors are actively exploiting vulnerabilities in Arista EOS (CVE-2026-7473), Google Chromium V8 (CVE-2026-11645), and Cisco Catalyst SD-WAN Manager (CVE-2026-20245). Specific exploitation chains, payloads, and post-exploitation activities are not detailed in the alert, but the vulnerabilities likely allow for unauthorized access, remote code execution, or data manipulation depending on the specific flaw.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the CISA alert.

Detection Engineering Assessment

EDR Visibility: Low — The vulnerabilities primarily affect network appliances (Arista, Cisco) where EDR cannot be installed, though EDR may detect post-exploitation activity from the Chromium V8 exploit on endpoints. Network Visibility: Medium — Network sensors might detect exploit payloads targeting the Arista or Cisco appliances if specific IDS/IPS signatures are available from vendors. Detection Difficulty: Hard — The alert does not provide specific IOCs, exploit payloads, or behavioral patterns to build detections upon, relying instead on vulnerability scanning and patching.

Required Log Sources

• Vulnerability Management Scans
• Web Proxy Logs
• Network IDS/IPS Logs

Hunting Hypotheses

Control Gaps

• Lack of timely patching for edge devices and browsers
• Insufficient vulnerability scanning frequency

Key Behavioral Indicators

• Unexpected child processes spawning from browser processes
• Anomalous administrative access or configuration changes on Arista or Cisco devices

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Identify all instances of Arista EOS, Google Chromium, and Cisco Catalyst SD-WAN Manager in your environment.
• Apply vendor-supplied patches or mitigations for CVE-2026-7473, CVE-2026-11645, and CVE-2026-20245 immediately.

Infrastructure Hardening

• Ensure management interfaces for network appliances (Arista, Cisco) are not exposed to the public internet.
• Implement strict access control lists (ACLs) for administrative interfaces.

User Protection

• Ensure enterprise browsers are configured to auto-update to mitigate the Chromium V8 vulnerability.
• Consider forcing browser restarts across the fleet to ensure pending updates are applied.

Security Awareness

• Remind users to restart their browsers when prompted to apply critical security updates.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1189 - Drive-by Compromise