CVE-2026-7473
published 2026-06-05CVE-2026-7473: On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic…
PriorityP181medium5.8CVSS 3.1
AVNACLPRNUINSCCNILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-23
Exploited in the wild
EPSS
27.22%
96.5th percentile
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.
This issue has been reported as being exploited in the wild.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arista_networks | eos | — | — |
| arista_networks | eos | * – 4.30 | — |
| arista_networks | eos | 4.31.0 – 4.31 | — |
| arista_networks | eos | 4.32.0 – 4.32 | — |
| arista_networks | eos | 4.33.0 – 4.33 | — |
| arista_networks | eos | 4.34.0 – 4.34 | — |
| arista_networks | eos | 4.35.0 – 4.35 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unexpected tunnel protocol decapsulation on Arista EOS devices configured as tunnel endpoints (VXLAN VTEP, GRE tunnel endpoint, or IP decap-group); traffic with a destination IP matching the device's configured decapsulation IP but using a non-configured tunnel protocol type should be flagged as suspicious. ↗
- →Apply ACLs on upstream devices or on the affected Arista EOS devices to selectively allow only legitimate tunnel traffic or block malicious tunnel traffic as a detection/blocking boundary; anomalous tunnel protocol types arriving at decapsulation IPs are the key signal. ↗
- →Focus detection on Arista 7020R, 7280R/R2, and 7500R/R2 series platforms; exploitation requires the device to be configured as a tunnel endpoint with a decapsulation IP. ↗
- ·No patches are planned by Arista for CVE-2026-7473; the vendor cites risk of breaking existing configurations. Mitigation via ACLs is the recommended approach. ↗
- ·Exploitation only occurs when the Arista EOS device is actively configured as a tunnel endpoint (VXLAN VTEP, GRE tunnel endpoint, or IP decap-group); devices without such configuration are not affected. ↗
- ·FCEB agencies are required to apply mitigations by June 23, 2026 per CISA KEV catalog directive BOD 22-01. ↗
- ·The root cause is the switch not verifying the tunnel protocol type during decapsulation, meaning any tunneled packet destined for the decapsulation IP may be processed regardless of protocol. ↗
- ·Vendor advisory and additional technical details are available at the Arista security advisory page referenced in the CISA KEV catalog notes. ↗
CVSS provenance
nvdv3.15.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
cisa5.8MEDIUM
VulDB
Arista EOS up to 4.36.0 Configuration incomplete comparison with missing factors (EUVD-2026-34858)
vuldb·2026-06-05·CVSS 6.9
CVE-2026-7473 [MEDIUM] Arista EOS up to 4.36.0 Configuration incomplete comparison with missing factors (EUVD-2026-34858)
A vulnerability classified as problematic was found in Arista EOS up to 4.36.0. This affects an unknown part of the component Configuration Handler. Such manipulation leads to incomplete comparison with missing factors.
This vulnerability is uniquely identified as CVE-2026-7473. The attack can be launched remotely. No exploit exists.
GHSA
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is p
ghsa_unreviewed·2026-06-05
CVE-2026-7473 [MEDIUM] CWE-1023 On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is p
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.
This issue has been reported as being exploited in the wild.
VulnCheck
Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass
vulncheck·2026·CVSS 6.9
CVE-2026-7473 [MEDIUM] Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass
Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.
Affected: Arista Networks EOS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remedia
CISA
Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
cisa·2026-06-09·CVSS 5.8
CVE-2026-7473 [MEDIUM] CWE-1023 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
Vulnerability: Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
Affected: Arista Extensible Operating System
Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137 ; https://nvd.nist.gov/vuln/detail/CVE-2026-7473
Remediation Due Date: 2026-06-23
Citrix
Citrix Security Bulletin CTX269106
vendor_citrix·CVSS 7.5
CVE-2020-7473 [HIGH] Citrix Security Bulletin CTX269106
Citrix Security Bulletin CTX269106
CVE References: CVE-2020-7473, CVE-2020-8982, CVE-2020-8983, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
No public exploits indexed.
2026-06-05
Published
2026-06-09
Added to CISA KEV
Exploited in the wild