CISA KEV Alert: Cisco, Chrome, and Arista Flaws Under Active Exploitation
Three new CVEs hit the Known Exploited Vulnerabilities catalog — here's what federal and commercial security teams must do in the next 30 days
Published 2026-06-10
# CISA KEV Alert: Cisco, Chrome, and Arista Flaws Under Active Exploitation
CISA has updated its Known Exploited Vulnerabilities (KEV) catalog with three newly confirmed, actively exploited flaws affecting Cisco Catalyst SD-WAN Manager, Google Chrome, and Arista network products — triggering mandatory remediation deadlines for federal agencies and raising the compliance bar for every regulated enterprise.
What the KEV Addition Actually Means
The KEV catalog is not a watchlist — it is a directive. Under Binding Operational Directive 22-01, U.S. federal civilian agencies are required to remediate catalogued vulnerabilities within defined windows, typically 14 to 21 days. For commercial organizations operating under NIS2, SOC 2, ISO 27001, HIPAA, or PCI DSS, a KEV listing is treated by auditors as evidence of a known, exploitable risk that demands documented, timely action.
The Cisco Catalyst SD-WAN Manager flaw (CVE-2026-20245, CVSS 7.8) involves an improper encoding or escaping of output vulnerability. SD-WAN managers sit at the heart of enterprise routing fabric, meaning a successful exploit can affect network segmentation, traffic inspection, and east-west visibility across branch and cloud infrastructure — precisely the controls auditors test under PCI DSS Requirement 6 and ISO 27001 Annex A.8.
The Chrome and Arista vulnerabilities compound the exposure: Chrome is present on virtually every endpoint, and Arista switches are common in data-center environments where NIS2 essential-service operators and HIPAA-covered entities process sensitive workloads.
Why This Matters Beyond Federal Compliance
Active exploitation confirmed by CISA signals that threat actors already hold working exploit code. The gap between KEV listing and widespread opportunistic attacks is measured in hours, not weeks.
For compliance teams, the downstream consequences are concrete:
- NIS2 Article 21 requires proportionate technical measures including vulnerability handling and patch management. A KEV-listed flaw with no remediation timeline is a direct audit finding.
- SOC 2 CC7.1 demands that security events affecting the availability or confidentiality of systems are identified and responded to — active exploitation satisfies that trigger.
- PCI DSS 12.3.3 requires a targeted risk analysis for every vulnerability identified as critical or exploited in the wild.
- HIPAA Security Rule §164.308(a)(1) ties risk analysis obligations to known threats against ePHI systems. If Chrome or SD-WAN endpoints touch patient data, this KEV update refreshes your risk register.
- ISO 27001 Annex A.8.8 mandates management of technical vulnerabilities, with timelines tied to severity — CVSS 7.8 qualifies as high.
What You Should Do in the Next 7–30 Days
Days 1–7: Inventory all Cisco Catalyst SD-WAN Manager instances, Chrome deployments on managed endpoints, and Arista devices. Confirm which are internet-facing or segmentation-critical. Assign owners and open tracked remediation tickets today.
Days 8–14: Apply vendor patches as they become available or implement CISA-recommended mitigations. Document every action taken — auditors need evidence of both detection and response, not just the patch.
Days 15–30: Update your vulnerability management policy to confirm KEV catalog monitoring as a standing process. Cross-map your remediation evidence to each applicable framework control. If any system cannot be patched within your policy window, execute a formal risk acceptance with compensating controls documented in writing.
Automate continuous KEV monitoring so the next catalog update triggers an alert, not a scramble.
Start a 14-Day Free Trial of RDS GoSOC AI
RDS GoSOC AI maps active threats and vulnerability findings directly to all 16 supported compliance frameworks — including NIS2, SOC 2, ISO 27001, HIPAA, and PCI DSS — in a single multi-tenant platform. Every paid feature is unlocked from day one of your trial, and no credit card is required. Register at https://platform.reremrdsgosoc.com/register, open the User Guide tab inside the app to get oriented quickly, and use the Sage handle to ask setup questions and map these KEV CVEs to your specific control requirements in minutes.