CISA’s Known Exploited Vulnerabilities (KEV) Catalog swelled by three new entries on June 9, 2026, each confirmed to be under active attack. CVE-2026-7473 in Arista EOS, CVE-2026-11645 in Google Chromium V8, and CVE-2026-20245 in Cisco Catalyst SD-WAN Manager now demand urgent remediation from all organizations—especially those operating Windows-heavy environments where these technologies intertwine.

The Binding Operational Directive (BOD) 22-01 requires U.S. federal agencies to fix KEV-listed flaws within strict timelines, but private sector defenders ignore these alerts at their peril. Attackers don’t discriminate by sector, and the addition of these three vulnerabilities signals that exploit chains are already active in the wild. Below we unpack each CVE, its immediate risk to Windows-dependent infrastructures, and the steps needed to close the gaps.

CVE-2026-7473 – Arista EOS Tunnel Mechanism Abuse

Arista’s Extensible Operating System (EOS) powers a vast swath of data center and campus switches. CVE-2026-7473 stems from a flaw in the handling of specific tunnel configurations, allowing an unauthenticated, network-adjacent attacker to escalate privileges or leak sensitive information. While technical details remain under embargo pending broader patch adoption, CISA’s inclusion means the bug is being weaponized.

For Windows administrators, this hits home in multiple ways. Arista switches often serve as the backbone for Hyper-V clusters, Storage Spaces Direct deployments, and software-defined networking fabrics built on Windows Server. A compromised switch could intercept East-West traffic between virtual machines, tamper with cluster heartbeat signals, or inject malicious packets into trusted management VLANs. Even organizations that run pure Azure Stack HCI environments frequently connect back to on-premises Arista hardware for hybrid connectivity.

Patches are available from Arista’s advisory portal. Immediate action: Identify all EOS devices, especially those terminating GRE, VXLAN, or IPsec tunnels, and apply the remediation release. If patching must be delayed, restrict access to the management plane via out-of-band networks and apply strict ACLs on tunnel endpoints.

CVE-2026-11645 – Type Confusion in Chromium V8

The V8 JavaScript engine is the beating heart of Chromium-derived browsers, including Microsoft Edge, Google Chrome, Opera, Brave, and countless Electron-based apps. CVE-2026-11645 is a type confusion vulnerability that lets a remote attacker corrupt heap memory via a crafted HTML page. Exploitation typically leads to arbitrary code execution inside the browser’s sandbox, but combined with a second bug, it can break out and seize control of the host operating system.

For the millions of Windows users who rely on Chromium browsers daily, this is the most dangerous of the three entries. Edge is installed on nearly every Windows 10 and 11 system, and Chrome’s enterprise footprint remains enormous. A single phishing email linking to a malicious site or a compromised ad network serving exploit code could trigger drive-by attacks without any user interaction beyond visiting the page.

Google and Microsoft have released emergency updates: Chrome 126.0.6478.56 and Edge 126.0.2592.56. The fixes tweak V8’s internal type handling to eliminate the confusion. Windows admins must enforce browser updates via Group Policy, Intune, or third-party update tools immediately. Additionally, consider enabling Microsoft Defender Application Guard for Edge in enterprises to isolate untrusted browsing sessions in a Hyper-V container—a powerful mitigation against browser exploits.

CVE-2026-20245 – Cisco Catalyst SD-WAN Manager Compromise

Cisco’s SD-WAN Manager (formerly vManage) provides centralized control over entire wide-area networks. CVE-2026-20245 allows an attacker with access to the web management interface to execute arbitrary commands with root privileges, leading to full system takeover. The exact vector—whether a command injection, insecure deserialization, or authentication bypass—isn’t public, but the impact is clear: complete compromise of the SD-WAN fabric.

Windows environments often depend on Cisco SD-WAN to connect branch offices, remote workers, and cloud instances. A compromised manager can reroute traffic, spoof DNS replies, or inject malicious updates into edge routers. From there, attackers can pivot to on-premises Windows servers, Active Directory, and even cloud management gateways. This is a high-value target for ransomware gangs and state-sponsored espionage alike.

Cisco has released a patched version of SD-WAN Manager. Affected organizations should upgrade immediately and review administrative access logs for signs of abuse. If you cannot patch within 24 hours, disable internet-facing access to the management interface entirely, force all administrative access through a dedicated jump host with multi-factor authentication, and monitor for unexpected configuration changes via Cisco DNA Center or third-party network detection and response (NDR) tools.

Why Windows Admins Must Care About Non-Windows Vulnerabilities

The three CVEs share a common thread: each can provide an initial foothold that ultimately endangers Windows assets. Consider a real-world attack chain:

  1. A user on a Windows laptop visits a legitimate but compromised website that serves an exploit for CVE-2026-11645. The browser process is hijacked.
  2. The attacker uses the browser’s access to the local network to scan for Arista switches vulnerable to CVE-2026-7473. They find one exposing its management interface on an internal VLAN.
  3. After gaining control of the switch, they intercept LDAP authentication traffic between Windows desktops and the domain controller, recovering credentials.
  4. With valid AD credentials, they authenticate to the Cisco SD-WAN Manager via single sign-on, exploiting CVE-2026-20245 to manipulate traffic policies and exfiltrate data.

Such blended threats are not hypothetical. The CISA KEV catalog exists precisely because these bugs are being linked together in actual intrusions. Windows environments often sit at the end of these chains, hosting the crown jewels: financial databases, intellectual property, and executive communications.

Actionable Mitigations for Immediate Defense

1. Patch Aggressively and Automatically

  • For Chromium browsers: Use Windows Update for Edge, or configure Chrome’s extension policy to install updates silently. Force restart browsers if necessary through scheduled tasks.
  • For Arista EOS: Leverage Arista’s CloudVision or Ansible playbooks to mass-update switches. Test in a lab first; many EOS patches require a reboot.
  • For Cisco SD-WAN Manager: Schedule a maintenance window and follow Cisco’s upgrade guide. Ensure all managed vEdge/cEdge routers are also updated if required.

2. Limit Exposure of Management Interfaces

  • Put all network device management interfaces (Arista, Cisco, etc.) on a dedicated out-of-band network with no direct internet access. Require VPN and MFA for administrative access.
  • Do not expose SD-WAN Manager’s web UI to the internet. If remote management is essential, use an Azure Bastion, AWS Systems Manager Sessions Manager, or a similar cloud jump service.

3. Strengthen Browser Isolation

  • Deploy Microsoft Defender Application Guard (for Edge) or third-party remote browser isolation solutions. Hardware-based isolation makes it exponentially harder for a V8 exploit to break out.
  • Enforce SmartScreen and use Windows Defender Exploit Guard to block known exploit techniques like heap spraying and code injection.

4. Monitor for Indicators of Compromise

  • Review DNS and firewall logs for unexpected tunnel termination to external IPs (Arista exploit).
  • Use endpoint detection and response (EDR) on Windows hosts to spot abnormal browser child processes—for example, cmd.exe or powershell.exe spawned by msedge.exe.
  • Check SD-WAN Manager audit logs for unauthorized configuration changes or new local user accounts.

5. Subscribe to CISA’s KEV and Automate Alerts

CISA provides the KEV catalog as a machine-readable JSON feed. Integrate it into your SIEM or vulnerability management platform to get immediate notifications when flaws reach this status. Pair it with your asset inventory so you can instantly see which of your systems are affected.

The Clock Is Ticking

BOD 22-01 typically gives federal agencies three weeks to remediate KEV entries, but the smart security teams move within 48 hours. The exploits for these three CVEs are already circulating; any delay increases the chance that your organization becomes the next headline. While June 9, 2026 may seem far off to readers of today’s calendar, the lesson is timeless: treat every KEV addition as a fire alarm for your infrastructure.

Windows administrators have a challenging job juggling Microsoft’s own Patch Tuesday updates, but they cannot afford to ignore vulnerabilities in the broader ecosystem that their users and networks depend on. Whether it’s the browser on every desktop, the switch in every rack, or the SD-WAN linking every branch, these technologies form a single attack surface. Lock it down now.