Arista EOS CVE-2026-7473: KEV Tunneled Packet Decapsulation Bypass

Suspected
Discovered Jun 9, 2026

CISA added actively exploited Arista EOS CVE-2026-7473 to KEV on 2026-06-09. Affected tunnel endpoints may decapsulate unexpected protocols sent to a configured decapsulation IP; Arista rates the issue Medium and provides configuration checks and ACL mitigations.

0
Affected Packages
2
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
hXXps://www[.]arista[.]com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137
hXXps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473

Analysis

Executive Summary

Arista Security Advisory 0137 documents CVE-2026-7473, a tunnel-protocol validation flaw in EOS. On affected hardware configured as a tunnel endpoint, packets addressed to a configured decapsulation IP can be decapsulated even when their outer tunnel protocol is not the configured type Arista Advisory 0137 opens in a new tab.

Arista reports exploitation in the wild and rates the issue Medium, with CVSS 4.0 score 6.9 and CVSS 3.1 score 5.8. CISA added the CVE to KEV on 2026-06-09 with a federal due date of 2026-06-23 CISA KEV opens in a new tab. Exposure depends on both platform family and active VXLAN, GRE, GUE, IP-in-IP, NVGRE, or decap-group configuration.

Key Facts

Cve: CVE-2026-7473

Vendor: Arista

Product: EOS

Vulnerability Class: unexpected tunnel-protocol decapsulation

Cwe: CWE-1023

Vendor Severity: Medium

Cvss V4 0: 6.9

Cvss V3 1: 5.8

Required Configuration: device configured as a tunnel endpoint with a decapsulation IP

Fully Affected Platform Families:

  • 7020R Series
  • 7280R/R2 Series
  • 7500R/R2 Series

Limited Scenario Platform Families:

  • 7280R3 Series
  • 7500R3 Series
  • 7800R3 Series

Kev Added: 2026-06-09

Kev Due Date: 2026-06-23

Fixed Versions: none planned (use configuration mitigations)

Last Verified: 2026-06-11

Evidence Assessment

Run the vendor-documented checks on each candidate device:

show interfaces vxlan 1
show interfaces Tunnel0
show ip decap-group

A VXLAN interface showing an active source interface, an up GRE tunnel with source and destination, or configured decap groups makes the device potentially affected when it is also on an applicable platform. If none of these outputs show a tunnel endpoint, Arista says the device is not exposed to this issue.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRequired action
Confirmed exploitationTelemetry shows an unexpected tunnel protocol was decapsulated and forwarded to an internal segment.Packet capture, ACL counters, flow records, and device configuration.Restrict traffic to the decapsulation IP, preserve evidence, and investigate reached internal assets.
Presumed exposedApplicable platform has an active tunnel endpoint without protocol-specific filtering.show version, platform inventory, and tunnel configuration output.Apply Arista's upstream or on-box ACL mitigation and engage Arista support for current remediation guidance.
Potentially exposedArista EOS platform or tunnel configuration is unknown.Device inventory and the three configuration checks above.Inventory immediately and restrict untrusted access to possible decapsulation IPs.
Not exposedDevice is outside the affected platform/scenario set or has no tunnel endpoint configuration.Platform and configuration evidence.Document the result and retain standard control-plane filtering.

Remediation and Closure

Arista describes two mitigation patterns:

  1. Apply ACLs on upstream devices to permit only the expected tunnel protocol and destination port to each decapsulation IP.
  2. Apply ACLs on the affected Arista device to allow expected tunnel traffic or block known-unexpected tunnel traffic.

If a decapsulation IP also serves BGP, SSH, or another service, explicitly permit that traffic before the deny rule. A broad deny applied without this sequencing can disrupt management or routing.

Close remediation only after:

  • Every applicable device has platform and tunnel configuration evidence.
  • Protocol-specific ACLs protect reachable decapsulation IPs.
  • Counters and flow telemetry are reviewed for prior unexpected traffic.
  • Arista support confirms whether a software or hardware remediation is available for the exact platform.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 9, 2026DisclosureDisclosure recorded for Arista EOS CVE-2026-7473: KEV Tunneled Packet Decapsulation Bypass.arista.com
Jun 9, 2026DiscoveryDiscovery recorded for Arista EOS CVE-2026-7473: KEV Tunneled Packet Decapsulation Bypass.arista.com
Jun 9, 2026First seenFirst seen recorded for Arista EOS CVE-2026-7473: KEV Tunneled Packet Decapsulation Bypass.arista.com
Jun 9, 2026Arista EOS CVE-2026-7473: KEV Tunneled Packet Decapsulation BypassUnknownarista.com

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

2 IOCs
urlhttps://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137
urlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Arista EOS CVE-2026-7473: KEV Tunneled Packet Decapsulation Bypass?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabarista.com

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Arista EOS CVE-2026-7473: KEV Tunneled Packet Decapsulation Bypass?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-arista-eos-cve-2026-7473-kev-scope"))

URLS = ["https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473"]

# Collect unique indicators
indicators = set()
for group in [URLS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
arista.comSecurity Researcher95%1CISA added actively exploited Arista EOS CVE-2026-7473 to KEV on 2026-06-09. Affected tunnel endpoints may decapsulate unexpected protocols sent to a configured decapsulation IP; Arista rates the issue Medium and provides configuration checks and ACL mitigations.
cisa.govSecurity Researcher95%1CISA added actively exploited Arista EOS CVE-2026-7473 to KEV on 2026-06-09. Affected tunnel endpoints may decapsulate unexpected protocols sent to a configured decapsulation IP; Arista rates the issue Medium and provides configuration checks and ACL mitigations.
nvd.nist.govSecurity Researcher95%1CISA added actively exploited Arista EOS CVE-2026-7473 to KEV on 2026-06-09. Affected tunnel endpoints may decapsulate unexpected protocols sent to a configured decapsulation IP; Arista rates the issue Medium and provides configuration checks and ACL mitigations.