### CISA Flags Critical Flaws for Immediate Action **CISA** recently updated its **KEV** catalog, signaling the active exploitation of three significant vulnerabilities. This mandates federal agencies to implement fixes or mitigations promptly, highlighting the immediate threat these flaws pose to cybersecurity infrastructure. Here's a breakdown of the vulnerabilities added: * **CVE-2026-20245** (CVSS score: 7.8): An improper encoding or escaping vulnerability in **Cisco Catalyst SD-WAN Manager**. This flaw could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the system. * **CVE-2026-11645** (CVSS score: 8.8): An out-of-bounds read and write vulnerability in **Google Chrome V8**. This critical flaw could enable a remote attacker to execute arbitrary code within a sandbox via a specially crafted HTML page. * **CVE-2026-7473** (CVSS score: 6.9): An incomplete comparison with missing factors vulnerability in **Arista Extensible Operating System (EOS)**. This could lead to the processing of non-configured tunnel traffic. ### Arista EOS Flaw: Exploited but No Patch Planned The **Arista EOS** vulnerability, **CVE-2026-7473**, presents a unique challenge. **Arista** has confirmed that this flaw is being actively exploited in the wild. The issue arises in affected platforms running **Arista EOS** where a tunnel decapsulation configuration (such as **VXLAN**, decap-groups, or a **GRE** tunnel interface) is present. The switch may incorrectly decapsulate and forward unexpected tunneled packets if their destination IP matches its configured decapsulation IP, failing to verify the tunnel protocol type. Impacted products include the 7020R, 7280R/R2, and 7500R/R2 series. Exploitation requires the device to be configured as a tunnel endpoint with a decapsulation IP. Despite active exploitation, **Arista** has stated that no patches are planned for **CVE-2026-7473**. The company cites the risk of breaking existing configurations on deployments as the reason. Instead, **Arista** has provided mitigation strategies, focusing on applying **Access Control Lists (ACLs)** on either upstream devices or on the devices where unexpected decapsulation is occurring. The goal is to selectively allow legitimate tunnel traffic or block malicious tunnel traffic. **Comcast's Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis** were credited for responsibly disclosing this vulnerability. ### Urgent Deadline for Federal Agencies **Federal Civilian Executive Branch (FCEB)** agencies have been mandated to apply the necessary fixes or mitigations for all three vulnerabilities by June 23, 2026. This directive underscores the urgency for IT security professionals and privacy-conscious users to assess their systems and implement recommended safeguards to protect against these actively exploited threats.