Network Infrastructure Under Compound Pressure: Cisco and Arista

Two Cisco entries and one Arista entry were added during this cycle, presenting a compounding risk picture for organizations relying on SD-WAN and network operating systems at scale.

CVE-2026-20262 (Cisco Catalyst SD-WAN Manager) is a path traversal vulnerability that allows an authenticated remote attacker to create or overwrite arbitrary files on the system filesystem. Its patch deadline is June 29, giving teams slightly more runway, but the authenticated precondition should not induce complacency — credential compromise in SD-WAN management planes is well-documented and often precedes this class of exploit. Treat this as a two-stage threat: if your SD-WAN Manager credentials have been exposed through phishing, password reuse, or a prior breach, this CVE becomes unauthenticated in practice. Rotate administrative credentials now and restrict management plane access to out-of-band networks or MFA-enforced jump hosts.

CVE-2026-20245 (Cisco Catalyst SD-WAN Manager, same platform) was added June 9 with a deadline of June 23. This improper encoding/escaping vulnerability allows an authenticated local attacker to execute arbitrary commands as root via a crafted file. The simultaneous presence of two KEV-listed vulnerabilities in Cisco Catalyst SD-WAN Manager represents a chained exploitation risk — lateral movement or privilege escalation scenarios become considerably more tractable when both are unpatched. Network operations teams should treat the June 23 deadline as firm and apply the consolidated Cisco advisory covering both CVEs in a single maintenance window.

CVE-2026-7473 (Arista Extensible Operating System) adds a third network-layer concern with a June 23 deadline. The incomplete comparison vulnerability causes EOS switches to incorrectly decapsulate and forward unexpected tunneled packets matching the configured decapsulation IP. In practice, this can be abused to bypass network segmentation controls and route traffic through boundaries it should never cross. For organizations using Arista EOS in data center spine-leaf or cloud interconnect topologies, this is a segmentation integrity issue as much as a device-level vulnerability. Audit tunnel decapsulation configurations and validate east-west traffic inspection controls while patches are applied.

Browser Engines and Shared Hosting: Broad-Surface Exploitation Vectors

CVE-2026-11645 (Google Chromium V8), added June 9 with a June 23 deadline, involves out-of-bounds read and write in the V8 JavaScript engine, enabling arbitrary code execution inside the sandbox via crafted HTML. The critical operational note: this vulnerability affects any browser built on Chromium, explicitly including Microsoft Edge and Opera in addition to Chrome. Enterprise teams that manage browser policy through endpoint management platforms should push updates fleet-wide and not wait for organic user-initiated updates. BOD 22-01 applies for federal agencies; confirm patch status through your EDR or UEM telemetry rather than relying on self-reporting.

CVE-2026-54420 (LiteSpeed cPanel Plugin) rounds out the catalog with a symlink following vulnerability in a shared hosting context, carrying a deadline of June 18 — tomorrow. Users with FTP or web shell access on CloudLinux/CageFS-protected shared hosting servers can exploit symlink resolution to escape filesystem restrictions. Managed hosting providers and web hosting resellers carrying this plugin are the primary exposure. The low barrier to exploitation — requiring only existing FTP credentials — means this will likely be exploited by low-sophistication actors alongside more targeted campaigns. Update immediately or disable the LiteSpeed cPanel plugin; notify affected tenants of potential CageFS bypass exposure.

Summary Deadline Table

| CVE | Product | Deadline | Status | |---|---|---|---| | CVE-2026-10520 | Ivanti Sentry | June 14 | Overdue | | CVE-2026-35273 | Oracle PeopleSoft | June 15 | Overdue | | CVE-2026-54420 | LiteSpeed cPanel Plugin | June 18 | Tomorrow | | CVE-2026-48907 | Widget Factory Joomla CE | June 19 | 2 days | | CVE-2026-20245 | Cisco SD-WAN Manager | June 23 | 6 days | | CVE-2026-11645 | Google Chromium V8 | June 23 | 6 days | | CVE-2026-7473 | Arista EOS | June 23 | 6 days | | CVE-2026-20262 | Cisco SD-WAN Manager | June 29 | 12 days |

Sources: CISA KEV Catalog · CISA BOD 26-04 · Cisco Security Advisories · Oracle Critical Patch Update · Ivanti Security Advisories · Google Chrome Releases · Arista Security Advisories · CISA BOD 22-01