CVE-2026-7473

MEDIUM KEV

Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass

Title source: cna

Exploitation Summary

CVE-2026-7473 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 9, 2026. EIP tracks 1 public exploit from researchers including fevar54.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-7473, which allows bypassing tunnel protocol verification in Arista EOS switches. The exploit crafts and sends various tunnel packets (GRE, VXLAN, GUE, IP-in-IP, NVGRE) to demonstrate improper decapsulation and forwarding.

Description

On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.

Exploits (1)

github WORKING POC

by fevar54 · pythonpoc

https://github.com/fevar54/CVE-2026-7473---Arista-EOS-Tunnel-Decapsulation-Bypass

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-7473, which allows bypassing tunnel protocol verification in Arista EOS switches. The exploit crafts and sends various tunnel packets (GRE, VXLAN, GUE, IP-in-IP, NVGRE) to demonstrate improper decapsulation and forwarding.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Arista EOS (versions 4.36.x and below)

No auth needed

Prerequisites: Arista EOS switch configured as a tunnel endpoint with a decapsulation IP · Network access to the target switch

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Jun 10, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473

Vendor Advisory vendor-advisory

https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137

Scores

CVSS v3 5.8

EPSS 0.0038

EPSS Percentile 29.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2026-06-09

VulnCheck KEV 2026-06-05

ENISA EUVD EUVD-2026-34858

CWE

CWE-1023

Status published

Products (8)

arista/eos

Arista Networks/EOS < 4.30

Arista Networks/EOS 4.31.0 - 4.31

Arista Networks/EOS 4.32.0 - 4.32

Arista Networks/EOS 4.33.0 - 4.33

Arista Networks/EOS 4.34.0 - 4.34

Arista Networks/EOS 4.35.0 - 4.35

Arista Networks/EOS 4.36.0

Published Jun 05, 2026

KEV Added Jun 09, 2026

Tracked Since Jun 05, 2026