Actively Exploited Arista EOS Vulnerability Threatens High-Performance Switches, No Patch Planned

Summary

A critical security defect in Arista's EOS, identified as CVE-2026-7473, has been reported as actively exploited. The flaw arises from unverified tunnel protocol types in certain configurations, allowing attackers to process non-configured tunnel traffic. This vulnerability impacts several high-performance switch models and poses a significant risk due to the lack of an available patch or hotfix.

What Happened

Arista's EOS, designed for its high-performance switches used in data centers, clouds, and enterprises, is affected by a security defect that has been exploited in the wild. The vulnerability stems from improper verification of tunnel protocol types under specific configurations, leading to unauthorized processing of tunnel traffic. This issue impacts models including 7020R, 7280R/R2, 7500R/R2, as well as certain IP-in-IPv6 and GUE IPV6 scenarios in the 7280R3, 7500R3, and 7800R3 series.

Technical Details

The flaw occurs when devices configured to decapsulate one tunnel type incorrectly accept and process other tunnel protocols destined for the same IP address. This misconfiguration allows attackers to exploit the system by sending non-configured tunnel traffic that the device will erroneously process. The vulnerability is specific to devices running Arista EOS configured as a tunnel endpoint with a decapsulation IP, such as GRE or VXLAN interfaces.

Affected Products and Fixed Versions

The vulnerability impacts several Arista switch models:

• 7020R series
• 7280R/R2 series
• 7500R/R2 series
• Certain configurations in the 7280R3, 7500R3, and 7800R3 series

No fixed versions are available due to the decision against releasing patches or hotfixes.

Exploitation Status

The vulnerability has been confirmed as exploited in the wild. The US cybersecurity agency CISA added CVE-2026-7473 to its Known Exploited Vulnerabilities list, urging federal agencies to address it promptly within two weeks of disclosure. This underscores the critical nature of the threat and the necessity for immediate action.

Indicators of Compromise

No specific indicators of compromise (IOCs) are detailed in the advisory. However, organizations should monitor their network traffic for unexpected tunnel protocol activity on affected devices.

Detection Opportunities

Organizations can detect potential exploitation by monitoring for unusual or unauthorized tunnel traffic on impacted Arista EOS devices. Network administrators should review configurations to ensure that only intended tunnel protocols are accepted and processed.

Timeline

• May 2026: Arista disclosed the vulnerability in an advisory, noting its exploitation in the wild.
• June 9, 2026: CISA added CVE-2026-7473 to its Known Exploited Vulnerabilities catalog, urging mitigation within two weeks.

Why This Matters for Defenders

The lack of a patch or hotfix for this vulnerability places significant responsibility on defenders to implement the recommended mitigations. Failure to do so could result in unauthorized access and potential disruption of network operations. The inclusion of CVE-2026-7473 in CISA's KEV list highlights its criticality and the urgency for federal agencies and other organizations to act swiftly.

What Remains Unclear

While the exploitation status is confirmed, specific details about the attack vectors or the extent of the impact remain undisclosed. Additionally, the exact nature of the mitigation instructions provided by Arista has not been detailed in public sources.

Defender Guidance

Defenders should immediately review and apply the mitigation instructions provided by Arista to secure their networks. This includes verifying tunnel protocol configurations on affected devices and ensuring that only authorized protocols are processed. Continuous monitoring for unusual network activity is also recommended to detect potential exploitation attempts.