CISA adds Cisco, Chrome flaws to KEV catalog

What Happened

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, following confirmed active exploitation. The additions include a critical Cisco SD-WAN CLI remote code execution (RCE) flaw, a Chrome V8 JavaScript engine RCE, and an Arista edge device vulnerability. Federal civilian agencies are required to remediate these vulnerabilities by the binding operational directive deadline.

Why It Matters

This KEV update signals that threat actors have weaponized exploits for these specific flaws, increasing risk for organizations using affected Cisco SD-WAN appliances, Chrome browsers, and Arista hardware. The Cisco vulnerability is particularly concerning because SD-WAN deployments serve as critical network infrastructure for branch offices and remote connectivity - a compromised device can provide persistent access to corporate networks. The Chrome flaw exposes a broad attack surface, given the browser’s ubiquity across enterprise environments.

Technical Details

• CVE-2026-20245: A command injection vulnerability in Cisco SD-WAN vManage that allows authenticated attackers to execute arbitrary commands with root privileges via crafted CLI input. Affects all SD-WAN vManage releases prior to the latest patched version. [CVE-2026-20245]
• CVE-2026-11645: A type confusion vulnerability in Chrome’s V8 JavaScript engine that can lead to remote code execution. Exploitation occurs when a user visits a maliciously crafted web page. [CVE-2026-11645]
• Third flaw: Impacts Arista edge networking devices, though specific technical details remain limited at this time. The vulnerability allows arbitrary code execution via crafted network traffic.

All three flaws are under active exploitation, though CISA did not disclose specific threat actor attribution or attack campaigns.

Immediate Risk

The risk is critical for organizations that have not patched. For the Cisco SD-WAN vulnerability, authenticated attackers - who may gain initial foothold through other means - can achieve full device compromise, potentially pivoting into the core network. The Chrome vulnerability presents a user-level risk: any employee visiting a compromised or malicious website could have their browser session hijacked. Given Chrome’s auto-update mechanism, most users will be protected once Stable channel updates reach version 126.0.6478.182 or later. Organizations running unpatched Chrome versions face the highest risk.

Security Insight

The simultaneous addition of SD-WAN, browser, and edge device flaws to KEV highlights a shift in attacker targeting toward network underlay control. Rather than breaching servers or email, adversaries are exploiting the infrastructure layer that security teams often treat as “trusted.” In the 2023 Cisco breach response playbooks, operators focused heavily on firewall and VPN patching. This KEV entry suggests attackers have moved to SD-WAN as the new pivot point - a device type that historically sees slower patch cycles than firewalls. Security teams should treat their SD-WAN management plane with the same rigor as their firewall management, including segmentation, MFA for admin access, and continuous vulnerability scanning.

Further Reading

• Chrome V8 RCE actively exploited (CVE-2026-11645)
• Cisco SD-WAN CLI RCE, actively exploited (CVE-2026-20245) [PoC]
• Chrome heap corruption via crafted page (CVE-2026-7896)
• Latest Security News
• CVE Advisories
• Data Breach Reports