No Fix Scheduled for Recently Discovered Arista Network Security Flaw

Post Views: 4

Hackers are leveraging a critical flaw in Arista Extensible Operating System (EOS) as a zero-day exploit without any planned remediation.

Vulnerability Overview

Arista EOS, a Linux-based network operating system designed for high-performance switches in data centers, cloud environments, and enterprises, contains a vulnerability tracked as CVE-2026-7473 with a CVSS score of 6.9. The flaw arises from insufficient verification of tunnel protocol types in specific configurations, allowing unauthorized tunnel traffic to be processed.

Arista clarified that systems set to decapsulate one tunnel type may erroneously accept and process other tunnel protocols directed to the same IP address, even if those protocols were not explicitly configured.

Affected Devices

The vulnerability impacts models including the 7020R, 7280R/R2, and 7500R/R2 series. Additional scenarios involving IP-in-IPv6 and GUE IPv6 decap groups affect the 7280R3, 7500R3, and 7800R3 series.

CISA Advisory and KEV Inclusion

Arista confirmed the flaw is being actively exploited in real-world attacks, as noted in a May advisory. The company has issued mitigation guidance but stated no software updates or hotfixes will be released. Arista cited concerns that addressing the issue could disrupt existing configurations in deployed environments.

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-7473 to its Known Exploited Vulnerabilities (KEV) list, requiring federal agencies to resolve the issue within 14 days.

Technical Details and Exploitation

CISA also expanded its KEV list to include two other actively exploited zero-days: CVE-2026-11645 in Chrome and CVE-2026-20245 in Cisco SD-WAN. Technical details indicate the vulnerability is triggered exclusively on devices with specific tunnel endpoint configurations. Affected systems must have decapsulation capabilities enabled for protocols like GRE or VXLAN.

The flaw’s exploitation vector relies on crafting malicious traffic that bypasses protocol validation mechanisms.

Mitigation and Recommendations

Arista’s advisory emphasized that the defect cannot be exploited through standard network traffic unless the device is explicitly configured to handle tunnel decapsulation. No patches or configuration changes are recommended due to the risk of destabilizing existing deployments.

Organizations are advised to review their network architectures and disable unnecessary tunnel processing features.

CISA’s inclusion of the vulnerability in its KEV list underscores the urgency of addressing the flaw, as threat actors are actively leveraging it for unauthorized access and data exfiltration. The absence of a software fix highlights the challenges of securing complex network infrastructure where backward compatibility and operational stability take precedence over immediate vulnerability remediation.

Enterprises using affected Arista hardware are urged to implement compensating controls, such as network segmentation and traffic monitoring, to mitigate potential risks.