What This Active Exploitation Alert Means for Your Environment
Active exploitation security alerts describe situations where attackers are already abusing known software vulnerabilities, raising the risk of remote code execution, account takeover, and data exposure if patches or mitigations are not applied quickly. In its latest update to the CISA KEV catalog, the agency added Cisco SD-WAN Manager, Chrome V8, and Arista EOS flaws, confirming that threat actors are targeting these weaknesses now. At the same time, Ivanti, Fortinet, and SAP have released critical vulnerability patches, including several issues with CVSS scores up to 10.0 that enable command injection, authentication bypass, and memory corruption. Together, these developments mark a shift from theoretical exposure to proven, in-the-wild attacks. For security and IT teams, this is a clear signal to prioritize patch deployment and configuration hardening right away, focusing on internet-exposed systems and high-value platforms first.
Cisco, Chrome, and Arista: Inside the Flaws on CISA’s KEV List
CISA’s latest additions to the CISA KEV catalog highlight three Cisco Chrome Arista flaws that attackers are exploiting. Cisco’s CVE-2026-20245 (CVSS 7.8) affects Catalyst SD-WAN Manager, where improper encoding allows an authenticated local user to execute arbitrary commands as root by supplying a crafted file. Chrome’s CVE-2026-11645 (CVSS 8.8) is an out-of-bounds read and write bug in the V8 engine, enabling remote code execution inside the sandbox via a crafted HTML page. Arista’s CVE-2026-7473 (CVSS 6.9) stems from incomplete comparison logic in EOS, causing switches to decapsulate and forward unexpected tunnel traffic when configured as tunnel endpoints. According to CISA, Federal Civilian Executive Branch agencies must apply fixes or mitigations for these critical vulnerability patches by June 23, 2026, reflecting the urgency for all organizations with similar assets.
No Patch for Arista EOS: Mitigate Tunnel Traffic Risks
The Arista EOS flaw stands out because no software fix is planned. CVE-2026-7473 affects 7020R, 7280R/R2, and 7500R/R2 series when configured as tunnel endpoints with a decapsulation IP, such as VXLAN VTEPs, GRE tunnel endpoints, or IP decap-groups. In these cases, the switch decapsulates and forwards unexpected tunneled packets whose destination IP matches its configured decapsulation IP, because it does not verify the tunnel protocol type. Arista acknowledges exploitation in the wild and instead prescribes mitigations. The company advises two broad approaches: apply ACLs on upstream devices or apply ACLs on the affected switches to selectively allow legitimate tunnel traffic or block malicious traffic. Because a full code fix may disrupt existing designs, network teams should audit all tunnel configurations, validate decapsulation endpoints, and deploy access control rules around sensitive paths as soon as possible.
Ivanti, Fortinet, and SAP: Critical Patches Before Exploitation Arrives
While not yet known to be exploited, new Ivanti, Fortinet, and SAP advisories describe high-severity bugs that could quickly become attractive to attackers. Ivanti Sentry is affected by CVE-2026-10520 (CVSS 10.0), an OS command injection flaw enabling remote unauthenticated root-level code execution, and CVE-2026-10523 (CVSS 9.9), which allows unauthenticated creation of arbitrary admin accounts. WatchTowr Labs detailed how an HTTP request to the “/mics/api/v2/sentry/mics-config/handleMessage” endpoint could trigger the bug, and Ivanti added authentication controls to block unauthenticated access. Fortinet’s CVE-2026-25089 (CVSS 9.1) in FortiSandbox Web UI allows unauthorized command execution via crafted HTTP requests. SAP released fixes for four critical issues, including a SAML XML signature wrapping bug (CVE-2026-44748, CVSS 9.9) and a memory corruption flaw (CVE-2026-27671, CVSS 9.8). These critical vulnerability patches should be applied before proof-of-concept exploits spread.
Immediate Actions: Prioritize, Patch, and Harden Access
Security teams should treat these alerts as a focused to-do list. First, inventory whether Cisco Catalyst SD-WAN Manager, Google Chrome deployments, or Arista EOS devices are present, especially those exposed to the internet or handling sensitive traffic. Apply available Cisco and Chrome updates that address the active exploitation security issues and implement Arista’s ACL-based mitigations on tunnel endpoints. Next, schedule fast-track deployment of Ivanti Sentry, FortiSandbox, and SAP updates, prioritizing systems with CVSS scores of 9.0 or higher and any platforms handling authentication, SSO, or critical workloads. Where immediate patching is not possible, reduce attack surface by restricting management interfaces, enforcing strong authentication, and monitoring for suspicious HTTP requests and unusual tunnel traffic. Finally, document which CISA KEV catalog items apply to your environment and set internal deadlines aligned with or faster than the June 23, 2026 mandate for high-risk systems.
