CISA KEV Update: Active Exploitation of Google Chrome, Arista EOS, and Cisco Systems
CISA has updated its Known Exploited Vulnerabilities (KEV) catalog to include critical flaws in Google Chrome, Arista EOS, and Cisco Systems, transitioning these vulnerabilities from theoretical risks to confirmed active exploitations. The Chrome vulnerabilities involve sandbox escapes—addressed in the Stable Channel 149 update—allowing attackers to gain host-level execution from the browser process. Simultaneously, critical flaws in Arista EOS and Cisco networking hardware provide vectors for network-wide interception, disruption, and lateral movement. Immediate remediation via vendor patches is mandatory for federal agencies and critical for enterprise environments to mitigate the risk of perimeter breach and internal escalation.
Cisco Unified Communications Manager: Critical SSRF-to-RCE Chain CVE-2026-20230
CVE-2026-20230 is a critical vulnerability in Cisco Unified Communications Manager (Unified CM) and Session Management Edition (SME) that enables unauthenticated remote attackers to achieve root-level system compromise. The attack chain exploits improper input validation in the WebDialer service to trigger a Server-Side Request Forgery (SSRF). By leveraging the file:// URI scheme, attackers can perform arbitrary file writes to the underlying operating system, allowing for the deployment of a rogue Apache Axis service and subsequent webshell installation. Active exploitation involving automated sweeps and Tor-based activity has been observed since late June 2026. Immediate patching to versions 14SU6 or 15SU5 is required, or the WebDialer service must be disabled.
Cisco Catalyst SD-WAN: Critical Privilege Escalation via CVE-2026-20245
A zero-day vulnerability, identified as CVE-2026-20245, has been exploited in the wild to achieve local privilege escalation (LPE) and arbitrary command execution on Cisco Catalyst SD-WAN Manager and SD-WAN appliances. Rated with a CVSS score of 7.8, the vulnerability requires authenticated local access to trigger the escalation to root-level privileges. Investigations by Mandiant indicate an active exploitation window of at least 60 days prior to disclosure, primarily targeting Communications Service Providers (CSPs). Successful exploitation grants attackers full control over the management plane, facilitating deep network visibility, traffic interception, and long-term persistence within critical telecommunications infrastructure.
Cisco Catalyst SD-WAN Manager Path Traversal Vulnerability CVE-2026-20262
CVE-2026-20262 is a path traversal vulnerability in the Web UI of Cisco Catalyst SD-WAN Manager that allows authenticated remote attackers to create or overwrite arbitrary files on the underlying Linux operating system. By utilizing directory traversal sequences (e.g., ../) in HTTP requests, attackers can achieve root privilege escalation, enabling full control over the SD-WAN orchestration layer. This vulnerability is currently weaponized and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Successful exploitation facilitates network-wide compromise, traffic redirection, and persistent backdoor installation via the modification of system binaries or startup scripts.
Cisco Catalyst SD-WAN Authentication Bypass Zero-Day
A critical authentication bypass vulnerability, tracked as CVE-2026-20182, has been identified in the peering authentication mechanism of the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager. Exploited in the wild by the sophisticated threat actor UAT-8616, this flaw allows unauthenticated attackers to bypass security checks, facilitating unauthorized access to the SD-WAN infrastructure. The vulnerability carries a CVSS score of 10.0, posing a maximum risk of full control plane compromise, which could enable large-scale network traffic interception or redirection. Organizations are urged to apply official Cisco patches immediately to prevent targeted exploitation and potential network-wide lateral movement or data exfiltration.
Critical Root Privilege Escalation in Cisco Unified Communications Manager CVE-2026-20230
A critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-20230, exists in Cisco Unified Communications Manager (CUCM). An unauthenticated remote attacker can leverage a specific URI endpoint to facilitate an SSRF attack, bypassing filesystem protections to achieve arbitrary file writes on the underlying system. By injecting malicious data into critical system files—such as configuration files, cron jobs, or system binaries—the attacker can execute a secondary stage of privilege escalation to gain full root-level access. This vulnerability represents a total loss of confidentiality, integrity, and availability, necessitating immediate remediation via Cisco-provided software patches to prevent complete system compromise.