CVE-2026-7473: Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.
This issue has been reported as being exploited in the wild.
Security readout for executives and security teams
Plain-English summary
CVE-2026-7473 affects Arista EOS switches using tunnel decapsulation features. A switch may accept and forward tunneled traffic using an unexpected protocol if it targets the configured decapsulation IP. This can bypass intended network handling. It is listed in CISA KEV and reported exploited in the wild.
Executive priority
Treat this as a priority network infrastructure issue because CISA lists it as known exploited. Focus first on Arista EOS devices providing tunnel or overlay networking. Business risk is unintended traffic forwarding across network boundaries, which can undermine segmentation and monitoring assumptions.
Technical view
On affected Arista EOS platforms with VXLAN, decap-groups, or GRE tunnel interfaces, EOS does not verify the tunnel protocol type before decapsulation. Packets for other tunnel protocols can be decapsulated and forwarded when the destination IP matches the configured decapsulation IP. CVSS v4 score is 6.9; CWE-1023 is listed.
Likely exposure
Exposure is most likely where Arista EOS switches are configured for tunnel decapsulation, including VXLAN, decap-groups, or GRE tunnel interfaces. The source bundle lists EOS versions 4.31.0 through 4.36.0 and default affected status, but exact impacted releases and fixed versions should be confirmed in Arista advisories.
Exploitation context
Active exploitation is supported by the CVE description and CISA KEV listing. An attacker would need network reachability to the configured decapsulation IP and could cause unexpected processing of non-configured tunneled traffic. The documented impact is integrity-related forwarding bypass, not device takeover.
Researcher notes
Evidence confirms a protocol validation flaw in tunnel decapsulation behavior and active exploitation via KEV. Public source details in the provided bundle do not include specific fixed releases or detection indicators. Avoid assuming all EOS deployments are exposed; the vulnerable condition requires a relevant decapsulation configuration.
Mitigation direction
Review Arista advisory 0137 for affected platforms, fixed releases, and vendor instructions.
Prioritize remediation for switches with VXLAN, decap-groups, or GRE tunnel decapsulation enabled.
Limit network reachability to decapsulation IPs where operationally possible.
Disable unnecessary tunnel decapsulation configurations after change approval.
Monitor for unexpected tunneled traffic targeting decapsulation IP addresses.
Validation and detection
Inventory Arista EOS switches and record EOS versions.
Identify VXLAN, decap-groups, and GRE tunnel interface configurations.
Compare each device against Arista advisory 0137 affected and fixed release guidance.
Review telemetry for unexpected tunnel protocols sent to decapsulation IPs.
Confirm remediation through configuration review and vendor-recommended version verification.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1023: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
Exploitation: activeAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1023 · source CWE mapping
Incomplete Comparison with Missing Factors
Incomplete Comparison with Missing Factors represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.