A vulnerability in Arista Extensible Operating System (EOS), tracked as CVE-2026-7473, causes switches to incorrectly decapsulate and forward unexpected tunneled packets when tunnel decapsulation configurations such as VXLAN, decap-groups, or GRE tunnel interfaces are present. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on June 9, 2026 with a federal agency remediation deadline of June 23, 2026.
What Is the Vulnerability?
CVE-2026-7473 is an incomplete comparison with missing factors vulnerability in Arista EOS. When a switch has tunnel decapsulation configured — including VXLAN (Virtual Extensible LAN), decap-groups, or GRE (Generic Routing Encapsulation) tunnel interfaces — the switch fails to properly verify tunneled packets before decapsulating and forwarding them. A packet with a destination IP matching the switch’s configured decapsulation IP is incorrectly decapsulated and forwarded onto the internal network, even when it should have been dropped or routed differently.
Arista Networks is a leading provider of data center and campus networking switches, deployed in enterprise data centers, cloud provider networks, financial services trading platforms, and high-frequency trading environments. VXLAN and GRE tunneling are standard configurations in modern data center networks for network virtualisation and overlay networking. The practical impact is a network bypass: an attacker can craft tunneled packets that, when received by an affected Arista switch, are decapsulated and injected into the internal network as if they originated from within the tunnel — bypassing perimeter security controls.
- CISA KEV: Added June 9, 2026 — federal agency deadline June 23, 2026
- Attack Vector: Network — crafted tunneled packet
- Impact: Network bypass — tunneled packets injected into internal network
Which Versions Are Affected?
- Arista EOS — affected platforms with VXLAN, decap-groups, or GRE tunnel decapsulation configured. Consult the Arista advisory for specific affected versions and fixed releases.
Is It Being Exploited in the Wild?
CISA KEV addition confirms active exploitation. Network infrastructure vulnerabilities that enable traffic injection and perimeter bypass are high-value targets for sophisticated attackers — particularly in data center and financial services environments where Arista switches are commonly deployed.
What Is the Fix?
Apply the Arista EOS security update. The fix adds proper verification of tunneled packets before decapsulation and forwarding. After updating, verify the EOS version and review switch logs for unexpected tunnel decapsulation events.
Recommendations
Patch Arista switches by June 23. Prioritise switches with tunnel decapsulation configured — VXLAN, decap-groups, and GRE tunnel interfaces. These are common in data center spine-leaf architectures and campus network overlays.
Audit tunnel configurations. Review which switches have tunnel decapsulation enabled and verify that it is required. Disable tunnel decapsulation on switches where it is not operationally needed.
Monitor for unexpected tunneled traffic. Review network flow data for unusual tunnel decapsulation patterns or internal traffic originating from unexpected tunnel sources.
References
- CISA Known Exploited Vulnerabilities Catalog — CVE-2026-7473
- Vulnerability Intelligence Report — June 10, 2026
This advisory is part of the CISA Known Exploited Vulnerabilities (KEV) tracking series. CVE-2026-7473 was added to KEV on June 9, 2026. For a comprehensive view of all active threats, refer to the latest Vulnerability Intelligence Report.
