Back to Intelligence

CISA KEV Alert: Actively Exploited Vulnerabilities in Arista EOS, Chromium V8, and Cisco SD-WAN Manager

SA
Security Arsenal Team
June 9, 2026
6 min read

On June 9, 2026, CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, signaling confirmed active exploitation in the wild. Under Binding Operational Directive (BOD) 22-01, federal agencies have strict deadlines to remediate these vulnerabilities, but the implications extend far beyond the federal enterprise. The inclusion of these CVEs—impacting Arista EOS, Google Chromium, and Cisco Catalyst SD-WAN Manager—highlights a diverse attack surface spanning network infrastructure, endpoint browsers, and WAN management controllers.

Defenders must treat these updates as critical action items. The vulnerabilities listed below are not theoretical; they are currently being leveraged by malicious actors to establish initial access or facilitate lateral movement.

Technical Analysis

CVE-2026-7473: Arista Extensible Operating System (EOS)

Vulnerability: Incomplete Comparison with Missing Factors Component: Arista EOS Management Plane

This vulnerability resides in the Arista EOS software, specifically affecting how the system compares security factors, likely within the authentication or authorization subsystem. An "Incomplete Comparison" error typically allows an attacker to bypass security checks by failing to validate all necessary conditions. In the context of network infrastructure, this can lead to unauthorized administrative access. Given Arista's prominence in data center and campus spine/leaf architectures, a successful exploit could allow an attacker to modify routing protocols or sniff traffic, fundamentally compromising the network's confidentiality and integrity.

CVE-2026-11645: Google Chromium V8 Engine

Vulnerability: Out-of-Bounds (OOB) Read and Write Component: V8 JavaScript Engine

This vulnerability affects the V8 engine, the core of Google Chrome and other Chromium-based browsers (Edge, Brave, etc.). An OOB read/write flaw allows a maliciously crafted web page to access memory locations outside the intended buffer boundaries. Exploitation typically involves a heap spray technique followed by a sandbox escape. If a user visits a compromised site, the attacker can execute arbitrary code on the endpoint with the privileges of the browser user. This is a classic "drive-by" download vector, making it a high-risk pathway for initial access into secured environments.

CVE-2026-20245: Cisco Catalyst SD-WAN Manager

Vulnerability: Improper Encoding or Escaping of Output Component: SD-WAN Manager Web Interface

Improper encoding or escaping of output is a class of web application vulnerability that often leads to Reflected or Stored Cross-Site Scripting (XSS), but in the context of a management controller like Cisco's SD-WAN Manager, it frequently escalates to Remote Code Execution (RCE). An attacker could inject malicious scripts into input fields that are subsequently executed by administrators' browsers. If the application fails to sanitize inputs correctly, attackers can hijack administrative sessions or execute commands on the underlying Linux OS of the SD-WAN Manager, potentially pivoting to the entire managed overlay network.

Detection & Response

Given the active exploitation status, organizations must assume that scanning and exploitation attempts are already occurring.

SIGMA Rules

The following Sigma rules detect behavioral indicators of exploitation for the Chromium browser and the Cisco/Arista infrastructure components.

YAML
---
title: Chromium V8 Exploit Sandbox Escape
id: 8a4b2c1d-3e4f-5a6b-7c8d-9e0f1a2b3c4d
status: experimental
description: Detects potential Chromium V8 engine exploitation where the renderer process spawns a shell, indicating a successful sandbox escape.
references:
 - https://www.cisa.gov/news-events/alerts/2026/06/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/09
tags:
 - attack.execution
 - attack.t1059.001
 - attack.initial_access
 - cve-2026-11645
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|endswith: '\chrome.exe'
   Image|endswith:
     - '\cmd.exe'
     - '\powershell.exe'
     - '\pwsh.exe'
 condition: selection
falsepositives:
 - Legitimate developer usage launching tools from browser workflows (rare)
level: critical
---
title: Network Mgmt Command Injection via Web Shell
date: 2026/06/09
id: 9d5c3e2f-1a2b-4c5d-6e7f-8a9b0c1d2e3f
status: experimental
description: Detects web server or Java processes spawning shell commands, indicative of command injection in network management appliances like Cisco SD-WAN Manager.
author: Security Arsenal
references:
 - https://www.cisa.gov/news-events/alerts/2026/06/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   ParentImage|contains:
     - 'java'
     - 'tomcat'
     - 'nginx'
     - 'vmanage'
   Image|endswith:
     - '/sh'
     - '/bash'
     - '/dash'
 condition: selection
falsepositives:
 - Authorized administrative debugging via web console
level: high

KQL (Microsoft Sentinel)

Use these queries to hunt for signs of Chromium exploitation and suspicious management plane activity.

KQL — Microsoft Sentinel / Defender
// Hunt for Chromium V8 Exploitation (Sandbox Escape)
// Look for Chrome renderer processes spawning shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "chrome.exe" and InitiatingProcessParentFileName == "chrome.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| extend AlertDetails = "Potential Chrome Sandbox Escape - CVE-2026-11645"

// Hunt for Cisco SD-WAN or Arista Management Plane Abuse
// Look for web services spawning shells in Syslog/CEF
Syslog
| where TimeGenerated > ago(7d)
| where ProcessName matches regex "(java|tomcat|vmanage|nginx)"
| where SyslogMessage matches regex "(exec|sh -c|/bin/bash|cmd.exe)"
| project TimeGenerated, DeviceName, ProcessName, SyslogMessage
| extend AlertDetails = "Potential Web Shell/Command Injection - CVE-2026-20245"

Velociraptor VQL

This artifact hunts for process anomalies on Linux endpoints hosting the affected management appliances.

VQL — Velociraptor
-- Hunt for web server processes spawning shells on Linux Infrastructure
SELECT Pid, Name, Exe, CommandLine, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Username
FROM pslist()
WHERE Parent.Name in ('java', 'nginx', 'apache2', 'vmanage') 
  AND Name in ('sh', 'bash', 'dash', 'ksh')
ORDER BY Pid

Remediation Script

This PowerShell script assists in verifying the Chrome version on Windows endpoints to ensure mitigation against CVE-2026-11645.

PowerShell
# Remediation Script: Check Chromium Version for CVE-2026-11645
# Note: Update the $MinSafeVersion variable based on the official security advisory release.

$MinSafeVersion = [version]"131.0.6778.0" # Placeholder, verify specific patch version from vendor
$ChromePath = "$env:LOCALAPPDATA\Google\Chrome\Application\chrome.exe"
$ProgramFilesPath = "$env:PROGRAMFILES\Google\Chrome\Application\chrome.exe"

$CurrentVersion = $null

if (Test-Path $ChromePath) {
    $CurrentVersion = (Get-Item $ChromePath).VersionInfo.FileVersion
} elseif (Test-Path $ProgramFilesPath) {
    $CurrentVersion = (Get-Item $ProgramFilesPath).VersionInfo.FileVersion
}

if ($CurrentVersion) {
    $VerObj = [version]$CurrentVersion
    if ($VerObj -lt $MinSafeVersion) {
        Write-Host "[ALERT] Vulnerable Chrome Version detected: $CurrentVersion (Required: $MinSafeVersion)" -ForegroundColor Red
        # Trigger update logic or enforcement here
        Start-Process "$env:PROGRAMFILES\Google\Update\GoogleUpdate.exe" -ArgumentList "/update /register"
    } else {
        Write-Host "[OK] Chrome Version is patched: $CurrentVersion" -ForegroundColor Green
    }
} else {
    Write-Host "[INFO] Google Chrome not found in standard locations." -ForegroundColor Yellow
}

Remediation

CVE-2026-7473 (Arista EOS)

  1. Review Arista Security Advisories for the specific patch release addressing this CVE.
  2. Upgrade Arista EOS to the latest stable release that contains the fix for "Incomplete Comparison with Missing Factors."
  3. Restrict management plane access (HTTPS/SSH) to specific source IP subnets via ACLs or firewalls immediately if patching is delayed.

CVE-2026-11645 (Google Chromium)

  1. Update Google Chrome to the latest stable channel release (verify against the release date of June 2026).
  2. For enterprise-managed devices, enforce auto-updates via Group Policy or your MDM solution immediately.
  3. Educate users on the risks of clicking unknown links, as this is a drive-by exploit vector.

CVE-2026-20245 (Cisco Catalyst SD-WAN Manager)

  1. Apply the patches provided in the Cisco Security Advisory for CVE-2026-20245.
  2. If immediate patching is not feasible, disable the web management interface (vManage) from the internet and enforce VPN access for administrators.
  3. Audit logs for successful logins followed by command-line activity to identify potential compromise.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecisa-kevcve-2026-7473cve-2026-11645

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action