MEDIUM🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2026-7473

CVSS 6.9v4.0pub. 2026-06-05upd. 2026-06-09

On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Arista 7020sr 24c2

    HW
    Arista
    wszystkie wersje
  • Arista 7020sr 32c2

    HW
    Arista
    wszystkie wersje
  • Arista 7020srg 24c2

    HW
    Arista
    wszystkie wersje
  • Arista 7020tr 48

    HW
    Arista
    wszystkie wersje
  • Arista 7020tra 48

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr2 60

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr2a 30

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr2a 60

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr2k 30

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr2k 60

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr2m 30

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3 32d4

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3 32p4

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3 36s

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3 96

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3a 24d12

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3a 48d6

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3a 72

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3ak 24d12

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3ak 48d6

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3ak 72

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3am 24d12

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3am 48d6

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3am 72

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3mk 32d4s

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr3mk 32p4s

    HW
    Arista
    wszystkie wersje
  • Arista 7280cr 48

    HW
    Arista
    wszystkie wersje
  • Arista 7280dr3 24

    HW
    Arista
    wszystkie wersje
  • Arista 7280dr3a 36

    HW
    Arista
    wszystkie wersje
  • Arista 7280dr3a 54

    HW
    Arista
    wszystkie wersje

CISA KEV — detailsi

Vendori
Arista
Producti
Extensible Operating System
Added to KEVi
June 9, 2026
Remediation deadline (US Federal)i
June 23, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 23 czerwca 2026
CWE
References

Related vulnerabilities

CVE-2014-7169CRITICAL9.8⚠ KEVten sam produkt

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the...

CVE-2014-6271CRITICAL9.8⚠ KEVten sam produkt

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variab...

CVE-2023-24509CRITICAL9.3ten sam produkt

On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having th...

CVE-2021-28500CRITICAL9.1ten sam produkt

An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConf...

CVE-2021-28506CRITICAL9.1ten sam produkt

An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and...