LiveActive security incident?Get immediate response
CVE Record

CVE-2026-7473: Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass

On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.

MediumCVSS 6.9Known exploitedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2026-7473 affects Arista EOS switches using tunnel decapsulation features. A switch may accept and forward tunneled traffic using an unexpected protocol if it targets the configured decapsulation IP. This can bypass intended network handling. It is listed in CISA KEV and reported exploited in the wild.

Executive priority

Treat this as a priority network infrastructure issue because CISA lists it as known exploited. Focus first on Arista EOS devices providing tunnel or overlay networking. Business risk is unintended traffic forwarding across network boundaries, which can undermine segmentation and monitoring assumptions.

Technical view

On affected Arista EOS platforms with VXLAN, decap-groups, or GRE tunnel interfaces, EOS does not verify the tunnel protocol type before decapsulation. Packets for other tunnel protocols can be decapsulated and forwarded when the destination IP matches the configured decapsulation IP. CVSS v4 score is 6.9; CWE-1023 is listed.

Likely exposure

Exposure is most likely where Arista EOS switches are configured for tunnel decapsulation, including VXLAN, decap-groups, or GRE tunnel interfaces. The source bundle lists EOS versions 4.31.0 through 4.36.0 and default affected status, but exact impacted releases and fixed versions should be confirmed in Arista advisories.

Exploitation context

Active exploitation is supported by the CVE description and CISA KEV listing. An attacker would need network reachability to the configured decapsulation IP and could cause unexpected processing of non-configured tunneled traffic. The documented impact is integrity-related forwarding bypass, not device takeover.

Researcher notes

Evidence confirms a protocol validation flaw in tunnel decapsulation behavior and active exploitation via KEV. Public source details in the provided bundle do not include specific fixed releases or detection indicators. Avoid assuming all EOS deployments are exposed; the vulnerable condition requires a relevant decapsulation configuration.

Mitigation direction

  • Review Arista advisory 0137 for affected platforms, fixed releases, and vendor instructions.
  • Prioritize remediation for switches with VXLAN, decap-groups, or GRE tunnel decapsulation enabled.
  • Limit network reachability to decapsulation IPs where operationally possible.
  • Disable unnecessary tunnel decapsulation configurations after change approval.
  • Monitor for unexpected tunneled traffic targeting decapsulation IP addresses.

Validation and detection

  • Inventory Arista EOS switches and record EOS versions.
  • Identify VXLAN, decap-groups, and GRE tunnel interface configurations.
  • Compare each device against Arista advisory 0137 affected and fixed release guidance.
  • Review telemetry for unexpected tunnel protocols sent to decapsulation IPs.
  • Confirm remediation through configuration review and vendor-recommended version verification.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-1023: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-7473 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.9 (4.0)
Known Exploited
Yes
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
1ADP providers
4Source links

CISA KEV status

Status
Known exploited
Source
CISA-ADP
Date added
KEV reference

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: activeAutomatable: yesTechnical Impact: total

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.9CVSS 4.0MediumCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:NArista
5.8CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N3.91.4Arista

Vulnerability scoring details

Base CVSS 4.0 score

6.9Medium
CVSS 4.0 vector shape for CVE-2026-7473Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. Added to KEVCISA-ADP

    CISA Known Exploited Vulnerabilities metadata lists this CVE as known exploited.

  4. ADP timelineCISA-ADP

    CVE-2026-7473 added to CISA KEV

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvcother:kev
  • 2026-06-09T00:00:00.000Z: CVE-2026-7473 added to CISA KEV
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Arista NetworksEOS4.36.0, 4.35.0, 4.34.0, 4.33.0, 4.32.0, 4.31.0, *affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-1023 · source CWE mapping

Incomplete Comparison with Missing Factors

Incomplete Comparison with Missing Factors represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.