Arista EOS CVE-2026-7473 tunnel decapsulation exploitation

Summary

CVE-2026-7473 is an Arista EOS tunnel-decapsulation flaw where affected switches configured as tunnel endpoints can incorrectly decapsulate and forward unexpected tunnel protocols sent to a configured decapsulation IP. Arista's CVE record says the issue has been exploited in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-09.

The durable defender value is network-plane exposure review: switches that terminate VXLAN, GRE, IP-in-IP, NVGRE, or GUE traffic can unintentionally process tunnel types that were not explicitly configured when protocol matching is incomplete.

Tags

• ops
• operations
• Arista EOS
• CVE-2026-7473
• active exploitation
• network infrastructure
• tunnel decapsulation
• VXLAN
• GRE
• IP-in-IP
• GUE
• NVGRE
• CISA KEV

Why this matters

• The vulnerable surface is network-reachable and requires no privileges or user interaction.
• Impact is integrity-oriented rather than code execution: unexpected tunneled traffic can be decapsulated and forwarded when sent to a tunnel endpoint's decapsulation IP.
• Arista says no software upgrade path is planned because changing the behavior risks breaking existing deployments; mitigation is configuration and ACL hardening.
• CISA's KEV entry sets a 2026-06-23 remediation due date for covered federal agencies, making this an operationally urgent network-infrastructure exposure even with no public actor attribution.

Operational characteristics

• Affected product: Arista EOS on affected Arista platforms.
• Affected platforms: Arista lists 7020R, 7280R/R2, and 7500R/R2 Series; 7280R3, 7500R3, and 7800R3 Series have limited exposure for IP-in-IPv6 and GUEv6 decap-group scenarios.
• Exposure condition: the device must be configured as a tunnel endpoint with a decapsulation IP, such as a VXLAN VTEP, GRE tunnel endpoint, or ip decap-group.
• Exploit primitive: a device configured to decapsulate one tunnel type can also incorrectly accept other tunnel protocols destined to the same decapsulation IP, even when those protocols were not configured.
• Observed exploitation: Arista's CVE record states that the issue has been reported as exploited in the wild; CISA added the flaw to KEV on 2026-06-09.
• Affected versions: Arista's CVE record marks EOS 4.36.0, 4.35 and below, 4.34 and below, 4.33 and below, 4.32 and below, 4.31 and below, and 4.30 and below as affected in the listed platform scope.
• Severity: CVSS v3.1 5.8, network attack vector, low complexity, no privileges, no user interaction, changed scope, low integrity impact.

Defender heuristics

• Inventory Arista EOS devices that terminate tunnels, especially VXLAN VTEPs, GRE interfaces, and configured decap groups.
• Confirm exposure with vendor-recommended operational checks such as:
• show interfaces vxlan 1 for an active VXLAN source interface and tunnel termination IP.
• show interfaces Tunnel0 for active GRE tunnel interfaces with source/destination configuration.
• show ip decap-group for decapsulation-group configuration.
• If a tunnel IP is expected to receive only one protocol, enforce that expectation with ACLs on upstream devices where possible: allow the expected tunnel protocol and destination port, then deny other traffic to the decapsulation IP.
• Apply ACLs on the decapsulation switch only after platform-specific review; Arista warns that some mitigations require TCAM profile changes and those changes can disrupt forwarding.
• Preserve and review flow, interface, ACL-counter, control-plane, and routing logs around the exposure window for unexpected tunnel protocol traffic to decapsulation IPs.
• When applying deny rules, explicitly permit legitimate non-tunnel traffic first if the same IP also serves control-plane or routing roles such as BGP or SSH.
• Treat successful exploitation as potential network-path manipulation: review adjacent segment access, overlay routing assumptions, and any trust decisions based on tunnel separation.

Related pages

• PAN-OS GlobalProtect CVE-2026-0257 exploitation
• Cisco Catalyst SD-WAN Manager CVE-2026-20245 exploitation
• LiteLLM CVE-2026-42271 MCP stdio command injection

Sources

• Arista CVE record: https://cveawg.mitre.org/api/cve/CVE-2026-7473
• Arista vendor advisory: https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137
• CISA KEV feed: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
• CISA KEV catalog page: https://www.cisa.gov/known-exploited-vulnerabilities-catalog