HP Halting Problems Security research, supply chain threats, and systems risk.
♥ Help support the site
btc
bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8
eth
0x71faaDcAF2538e7346885F772FBAcb88740059A8
xmr
49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP
critical Threat analysis

Arista EOS CVE-2026-7473: KEV Tunneled Packet Decapsulation Segmentation Bypass

CISA added Arista EOS CVE-2026-7473 to its KEV catalog on 2026-06-09 due to active exploitation. This critical security bypass vulnerability allows remote attackers to bypass network segmentation by sending tunneled packets (VXLAN, GRE) that the switch decapsulates without verifying the protocol type.

Published
Read time
5 min read
Sources
3
#arista#eos#cisa-kev#segmentation-bypass#zero-day
On this page 0% read

    Executive Summary

    CISA added CVE-2026-7473 to the Known Exploited Vulnerabilities catalog on 2026-06-09, marking it as actively exploited CISA KEV. The affected product is Arista EOS (Extensible Operating System). The vulnerability is a critical security bypass (CWE-1023: Incomplete Comparison with Missing Factors) where affected switches incorrectly decapsulate and forward unexpected tunneled packets (such as VXLAN, GRE, or decap-groups) if the destination IP matches the switch’s decapsulation address. This occurs because the switch hardware fails to verify the outer tunnel protocol type.

    Attackers can exploit this flaw to inject packets directly into segregated networks, bypassing access control lists (ACLs) and network segmentation. The vulnerability affects all Arista EOS releases in the 4.30.x through 4.36.x trains running on platforms such as the 7020R Series, 7280R/R2 Series, and 7500R/R2 Series. Deployments that do not utilize tunnel interface decapsulation are not affected. Organizations should consult Arista Security Advisory 0137 for mitigation guidance.

    Key Facts

    cve: "CVE-2026-7473"
vendor: "Arista"
product: "EOS (Extensible Operating System)"
vulnerability: "Segmentation bypass via unvalidated tunneled packet decapsulation"
cwe: "CWE-1023"
disclosed_date: "2026-06-09"
kev_added: "2026-06-09"
affected_versions: "4.30.x to 4.36.x"
fixed_versions: "Patches detailed in Arista Advisory 0137"
affected_platforms:
  - "7020R Series"
  - "7280R/R2 Series"
  - "7500R/R2 Series"
  - "7280R3 Series (partial)"
high_value_evidence:
  - "Arista Security Advisory 0137"
  - "VXLAN/GRE/decap-group tunnel configuration"

    Source Confidence & Evidence Mapping

    • confirmed: CISA added CVE-2026-7473 to the KEV catalog, verifying active exploitation in the wild CISA KEV.
    • confirmed: Arista published Security Advisory 0137 detailing the incomplete tunnel comparison defect, listing affected software releases and hardware platforms Arista Advisory 0137.
    • confirmed: NIST NVD indexes the vulnerability under CWE-1023, mapping the hardware-level decapsulation behavior.

    Impact Determination

    ClassificationCriteriaRequired evidenceHandling decision
    Confirmed compromiseSwitch logs or network telemetry show unexpected decapsulated traffic entering segmented subnets from external paths, or packets carrying inner payloads targeting internal subnets bypassing external ACL checks.Network flow captures (NetFlow/IPFIX) proving unauthorized VXLAN/GRE decapsulation, or unusual network traffic origins.Isolate the affected routing path, block tunnel ports on edge boundaries, enable ingress filter checks, and conduct full network segmentation forensics.
    Presumed exposedArista EOS is running an affected version (4.30.x to 4.36.x) on affected hardware platforms, and tunnel decapsulation (VXLAN/GRE/decap-groups) is actively configured.Running config review (show version, show interface vxlan, or show tunnel).Apply patches provided in Arista Advisory 0137; enforce ACL rules on decapsulation IP addresses.
    Potentially exposedArista switches are present in the infrastructure but configuration and version details are unverified.Network asset inventory listings.Audit Arista configurations for tunnel interfaces and versions.
    Not exposedArista switches do not utilize any tunnel interface configurations, or versions are verified as patched.Verified configuration outputs showing no tunnel endpoints.No immediate action required.
    UnknownDevice configuration or software versions are undocumented.Missing asset inventory or CLI access.Assume exposure and query Arista device states.

    Timeline

    • 2026-06-09: Arista publishes Security Advisory 0137 disclosing the segmentation bypass issue.
    • 2026-06-09: CISA adds CVE-2026-7473 to the Known Exploited Vulnerabilities catalog.
    • 2026-06-10: This threat post analysis is published.

    Technical Analysis

    Arista EOS switches optimize tunnel decapsulation (e.g. VXLAN, GRE) at the hardware level. When a packet arrives with a destination IP corresponding to the switch’s decapsulation loopback address, the switch hardware attempts to decapsulate the packet.

    Due to a validation failure (CWE-1023), the hardware decapsulates the packet without checking if the transport layer matches the configured tunnel protocol type. An attacker can craft a packet containing an inner payload targeting a segmented network and encapsulate it inside an unexpected protocol. The switch will decapsulate and forward the inner packet, bypassing network boundary protections and ACLs.

    Affected Assets and Blast Radius

    asset_selectors:
  - "arista-eos"
highest_value_assets:
  - "Arista core and distribution switches terminating VXLAN or GRE tunnels"
credentials_and_data_at_risk:
  - "Segregated network security boundaries"
  - "Internal subnet endpoints and server resources"

    Indicators And Detection Selectors

    vulnerabilities: ["CVE-2026-7473"]
packages: ["arista-eos"]
telemetry_selectors:
  - "vxlan"
  - "gre"
  - "decap-group"

    Detection and Hunting

    Script: local repository and exported telemetry scope

    #!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-arista-eos-cve-2026-7473-kev-scope"))
SINCE = "2026-06-09T00:00:00Z"
UNTIL = "2026-06-09T23:59:59Z"

PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
  "www.cisa.gov",
  "www.arista.com",
]
URLS = [
  "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
  "https://www.arista.com/en/support/advisories-notices",
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]

# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.

OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"

# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

    Sources

    1. CISA: KEV Catalog - Role: PRIMARY_RESEARCH - Impact: Active exploitation confirmation.
    2. Arista: Security Advisory 0137 - Role: DIRECT_SOURCE - Impact: Detailed hardware advisory, affected versions, and decapsulation bypass mechanics.
    3. NIST NVD: CVE-2026-7473 - Role: ENRICHMENT_DATA - Impact: Severity and vulnerability classification.