Skip to main content

Arista EOS CVE-2026-7473

| EUVD-2026-34858 MEDIUM
Incomplete Comparison with Missing Factors (CWE-1023)
2026-06-05 Arista GHSA-mcx4-vm6v-r473
Information Disclosure Eos
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Added to CISA KEV
Jun 09, 2026 - 17:32 CISA
Analysis Generated
Jun 05, 2026 - 17:28 vuln.today
CVSS changed
Jun 05, 2026 - 17:22 NVD
5.8 (MEDIUM) 6.9 (MEDIUM)

DescriptionCVE.org

On affected platforms running Arista EOS where a tunnel decapsulation configuration-such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface-is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.

This issue has been reported as being exploited in the wild.

Articles & Coverage 1

POC CVE-2026-7473: Arista EOS Tunnel Protocol Bypass Enables Unauthorized Network Segment Access Jun 10, 2026

AnalysisAI

Tunnel decapsulation logic in Arista EOS fails to verify the encapsulation protocol type, allowing any tunneled packet destined for a configured decapsulation IP to be silently unwrapped and forwarded into the network. Unauthenticated remote attackers (PR:N, AV:N per CVSS 4.0) can inject traffic into network segments by exploiting this check bypass on switches with VXLAN, decap-groups, or GRE configurations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify EOS switch with VXLAN/GRE decap configured
Delivery
Determine decapsulation destination IP
Exploit
Craft tunneled packet with non-configured protocol type
Install
Send packet to decap IP over network
C2
Switch matches IP, skips protocol-type verification
Execute
Switch decapsulates and forwards inner payload
Impact
Injected traffic enters protected network segment
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation is only possible when the target Arista EOS switch has an active tunnel decapsulation configuration - specifically at least one of: a VXLAN VTEP/decapsulation IP, a decap-group configuration, or a GRE tunnel interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 with vector AV:N/AC:L/AT:N/PR:N/UI:N reflects unauthenticated, low-complexity, remotely triggerable exploitation with no user interaction needed - a favorable attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the internet or an adjacent network crafts tunneled IP packets (for example, VXLAN-encapsulated frames) addressed to a GRE-configured EOS switch's decapsulation IP. The switch, checking only the destination IP and not the protocol type, decapsulates the VXLAN frames and forwards the inner traffic into the protected network segment as if it originated from a trusted tunnel peer. …
Remediation The primary remediation is to apply the vendor-released patch per Arista Security Advisory 0137, available at https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7473 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy