♥ Help support the site
btc
bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8
eth
0x71faaDcAF2538e7346885F772FBAcb88740059A8
xmr
49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP
medium Threat analysis

Arista EOS CVE-2026-7473: KEV Tunneled Packet Decapsulation Bypass

CISA added actively exploited Arista EOS CVE-2026-7473 to KEV on 2026-06-09. Affected tunnel endpoints may decapsulate unexpected protocols sent to a configured decapsulation IP; Arista rates the issue Medium and provides configuration checks and ACL mitigations.

Published
Read time
5 min read
Sources
3
#arista#eos#cisa-kev#segmentation-bypass#network-security
On this page 0% read

    Executive Summary

    Arista Security Advisory 0137 documents CVE-2026-7473, a tunnel-protocol validation flaw in EOS. On affected hardware configured as a tunnel endpoint, packets addressed to a configured decapsulation IP can be decapsulated even when their outer tunnel protocol is not the configured type Arista Advisory 0137.

    Arista reports exploitation in the wild and rates the issue Medium, with CVSS 4.0 score 6.9 and CVSS 3.1 score 5.8. CISA added the CVE to KEV on 2026-06-09 with a federal due date of 2026-06-23 CISA KEV. Exposure depends on both platform family and active VXLAN, GRE, GUE, IP-in-IP, NVGRE, or decap-group configuration.

    Key Facts

    cve: "CVE-2026-7473"
vendor: "Arista"
product: "EOS"
vulnerability_class: "unexpected tunnel-protocol decapsulation"
cwe: "CWE-1023"
vendor_severity: "Medium"
cvss_v4_0: "6.9"
cvss_v3_1: "5.8"
required_configuration: "device configured as a tunnel endpoint with a decapsulation IP"
fully_affected_platform_families:
  - "7020R Series"
  - "7280R/R2 Series"
  - "7500R/R2 Series"
limited_scenario_platform_families:
  - "7280R3 Series"
  - "7500R3 Series"
  - "7800R3 Series"
kev_added: "2026-06-09"
kev_due_date: "2026-06-23"
fixed_versions: "none planned (use configuration mitigations)"
last_verified: "2026-06-11"

    Evidence Assessment

    • confirmed: Arista says a configured tunnel endpoint can accept and decapsulate other tunnel protocols sent to the same decapsulation IP.
    • confirmed: All documented scenarios apply to 7020R, 7280R/R2, and 7500R/R2. Only the IP-in-IPv6 and GUE IPv6 decap-group scenarios apply to the R3 families listed above.
    • confirmed: Arista provides configuration checks and ACL mitigations, but has explicitly stated that no software patches or hotfixes are planned due to configuration disruption risks.
    • confirmed: CISA added the CVE to KEV on 2026-06-09.
    • unknown: Public sources do not identify the actor, victim environment, packet samples, source addresses, or exploitation dates.
    • not supported: The earlier claim that all EOS 4.30.x through 4.36.x releases are affected is not stated in the current vendor advisory.

    Exposure Checks

    Run the vendor-documented checks on each candidate device:

    show interfaces vxlan 1
show interfaces Tunnel0
show ip decap-group

    A VXLAN interface showing an active source interface, an up GRE tunnel with source and destination, or configured decap groups makes the device potentially affected when it is also on an applicable platform. If none of these outputs show a tunnel endpoint, Arista says the device is not exposed to this issue.

    Impact Determination

    ClassificationCriteriaRequired evidenceRequired action
    Confirmed exploitationTelemetry shows an unexpected tunnel protocol was decapsulated and forwarded to an internal segment.Packet capture, ACL counters, flow records, and device configuration.Restrict traffic to the decapsulation IP, preserve evidence, and investigate reached internal assets.
    Presumed exposedApplicable platform has an active tunnel endpoint without protocol-specific filtering.show version, platform inventory, and tunnel configuration output.Apply Arista’s upstream or on-box ACL mitigation and engage Arista support for current remediation guidance.
    Potentially exposedArista EOS platform or tunnel configuration is unknown.Device inventory and the three configuration checks above.Inventory immediately and restrict untrusted access to possible decapsulation IPs.
    Not exposedDevice is outside the affected platform/scenario set or has no tunnel endpoint configuration.Platform and configuration evidence.Document the result and retain standard control-plane filtering.

    Detection and Hunting

    Script: local repository and exported telemetry scope

    #!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-arista-eos-cve-2026-7473-kev-scope"))
SINCE = "2026-06-09T00:00:00Z"
UNTIL = "2026-06-09T23:59:59Z"

PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
  "www.arista.com",
  "www.cisa.gov",
]
URLS = [
  "https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137",
  "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473",
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]

# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.

OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"

# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

    Mitigation and Closure

    Arista describes two mitigation patterns:

    1. Apply ACLs on upstream devices to permit only the expected tunnel protocol and destination port to each decapsulation IP.
    2. Apply ACLs on the affected Arista device to allow expected tunnel traffic or block known-unexpected tunnel traffic.

    If a decapsulation IP also serves BGP, SSH, or another service, explicitly permit that traffic before the deny rule. A broad deny applied without this sequencing can disrupt management or routing.

    Close remediation only after:

    • Every applicable device has platform and tunnel configuration evidence.
    • Protocol-specific ACLs protect reachable decapsulation IPs.
    • Counters and flow telemetry are reviewed for prior unexpected traffic.
    • Arista support confirms whether a software or hardware remediation is available for the exact platform.

    Machine-Readable Event Profile

    {
  "event_id": "arista-eos-cve-2026-7473-kev",
  "cve": "CVE-2026-7473",
  "vendor_severity": "medium",
  "cvss_v4_0": 6.9,
  "cvss_v3_1": 5.8,
  "kev_added": "2026-06-09",
  "kev_due_date": "2026-06-23",
  "network_iocs": [],
  "file_hashes": [],
  "confidence": "high",
  "last_verified": "2026-06-10"
}

    Sources

    1. Arista: Security Advisory 0137 - Role: DIRECT_SOURCE - Impact: Exploitation status, affected platform scenarios, configuration checks, indicators, scores, and mitigations.
    2. CISA: KEV entry for CVE-2026-7473 - Role: GOVERNMENT_SOURCE - Impact: KEV date, due date, and required action.
    3. NIST NVD: CVE-2026-7473 - Role: ENRICHMENT_DATA - Impact: CVE record, CWE, CVSS vectors, and vendor references.

    IOC Clipboard

    4 IOCs
    Defang IOCs
    domain www.arista.com www[.]arista[.]com
    domain www.cisa.gov www[.]cisa[.]gov
    url https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137 hxxps://www[.]arista[.]com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137
    url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473 hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473