No Patch Coming: The Aristo EOS Tunnel Decapsulation Bug Vuln Scanners Can't See
3 days ago
- #network-security
- #Arista-EOS
- #vulnerability-management
- CVE-2026-7473 allows attackers to forward unauthorized traffic into protected network segments via Arista EOS switches, exploiting a misconfiguration rather than a software version bug.
- The flaw involves incomplete decapsulation checks: switches verify outer packet addresses but ignore tunnel protocol types, unwrapping and forwarding traffic regardless of configured formats.
- Vulnerability scanners often miss this issue because they rely on version-based detection; configuration auditing is required to identify exposed devices with decapsulation IPs.
- Arista disclosed the vulnerability on May 5, 2026, noting active exploitation, but CVE databases and CISA's KEV catalog had delays, causing visibility gaps for defenders.
- No software patch is planned; mitigation relies solely on configuration changes, such as applying ACLs to restrict tunnel protocols and monitoring for unauthorized traffic.