What These Active Zero-Day Exploits Mean for Your Network
Zero-day exploits active in widely used software are security flaws that attackers weaponize before defenders can fully respond, forcing organizations to patch, reconfigure, or mitigate under time pressure to avoid compromise. The latest additions to the CISA KEV catalog highlight three such threats: a Chrome V8 vulnerability, a Cisco Catalyst SD-WAN Manager flaw, and an Arista EOS issue affecting tunnel decapsulation. KEV listing signals that exploitation is not theoretical; threat actors are already using these bugs in the wild. That makes them more urgent than many higher-scoring but dormant vulnerabilities. If your environment depends on Chrome-based browsers, Cisco SD-WAN controllers, or Arista switches handling VXLAN or GRE traffic, you face elevated risk until you apply a critical security update or enforced workaround. The following sections outline what each CVE means and how to prioritize your response.
Chrome V8 CVE-2026-11645: A High-Risk Browser Zero-Day
The Chrome V8 vulnerability CVE-2026-11645 is a high-severity out-of-bounds memory access in Google’s JavaScript and WebAssembly engine, now confirmed among zero-day exploits active in the wild. According to The Hacker News, Google has released security updates that fix 74 vulnerabilities and "acknowledged that an exploit for CVE-2026-11645 exists in the wild." NVD describes it as allowing a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page, giving attackers a strong foothold for further compromise. To apply the CVE-2026-11645 patch, update Chrome to 149.0.7827.102/.103 on Windows and macOS, and 149.0.7827.102 on Linux, then relaunch the browser. Do the same for Chromium-based browsers like Edge, Brave, Opera, and Vivaldi as their updates ship. Treat this as a critical security update for any endpoint accessing external websites or untrusted content.
Cisco SD-WAN Manager CVE-2026-20245: Command Execution Risk
Cisco Catalyst SD-WAN Manager is affected by CVE-2026-20245, an improper encoding or escaping of output flaw with a CVSS score of 7.8. This vulnerability allows an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. While it requires local, authenticated access, SD-WAN Manager is a high-value target because it controls wide parts of your network fabric. Once CISA adds such a flaw to the CISA KEV catalog, it means exploitation is confirmed and defenders should assume scanning and targeting are underway. Prioritize installing Cisco’s fixed releases or recommended workarounds on all SD-WAN Manager instances, especially those managing internet-facing or branch connections. As part of the same change window, tighten access controls around the management plane: audit admin accounts, enforce multi-factor authentication, and monitor for unusual file uploads or command execution attempts.
Arista EOS CVE-2026-7473: No Patch, Only Mitigation
Arista EOS CVE-2026-7473 is an incomplete comparison vulnerability affecting tunnel decapsulation, allowing switches to incorrectly decapsulate and forward unexpected tunneled packets whose destination IP matches a configured decapsulation IP. This impacts 7020R, 7280R/R2, and 7500R/R2 series devices acting as VXLAN VTEPs, GRE endpoints, or using IP decap-groups. Arista notes the issue "has been reported as being exploited in the wild" and, crucially, is not planning a software patch because of the risk of breaking existing configurations. That makes mitigation your only option. Follow Arista’s guidance: apply ACLs on upstream devices or on the affected switches themselves to either allow only legitimate tunnel traffic or block suspected malicious tunnel traffic. Pay special attention to decapsulation IPs exposed across untrusted or shared transport networks, and log unexpected tunnel types or sources.
Response Priorities and Immediate Action Plan
With all three flaws in the CISA KEV catalog, you should assume active probing and exploitation and act on a clear priority path. First, deploy the CVE-2026-11645 patch across all Chrome and Chromium-based browsers, since a crafted HTML page can trigger code execution on any user visiting malicious or compromised sites. Next, update Cisco Catalyst SD-WAN Manager to the latest fixed release and restrict who can log in locally, as a successful exploit provides root-level command execution. For Arista EOS CVE-2026-7473, plan configuration changes carefully: design ACLs that block or tightly filter tunnel traffic to decapsulation endpoints without disrupting valid VXLAN or GRE flows. CISA has ordered federal agencies to apply fixes or mitigations by June 23, 2026; aim to beat or match that timeline for comparable environments and track completion in your vulnerability management system.
