ctipilot.ch

Arista EOS tunnel-decapsulation logic flaw bypasses VXLAN segmentation; CISA KEV, exploited

cve · CVE-2026-7473

Coverage timeline
1
first 2026-06-10 → last 2026-06-10
Briefs
1
1 distinct
Sources cited
1
1 hosts
Sections touched
1
trending_vulns
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-06-10CTI Daily Brief — 2026-06-10
    trending_vulnsFirst coverage. KEV-added 2026-06-09; Arista SA-0137.

Where this entity is cited

  • trending_vulns1

Source distribution

  • arista.com1 (100%)

External references

NVD · cve.org · CISA KEV

All cited sources (1)

Items in briefs about Arista EOS tunnel-decapsulation logic flaw bypasses VXLAN segmentation; CISA KEV, exploited (1)

CVE-2026-7473 — Arista EOS tunnel-decapsulation logic flaw bypasses segmentation, added to CISA KEV

From CTI Daily Brief — 2026-06-10 · published 2026-06-10 · view item permalink →

Arista EOS contains an incomplete-comparison flaw (CWE-1023) in its tunnel-decapsulation logic: where a VXLAN, decap-group or GRE decapsulation config is present, the switch decapsulates and forwards tunneled packets whose destination IP matches the configured decap IP even from unexpected sources, letting an attacker inject traffic into a VXLAN fabric and bypass network segmentation; CISA added CVE-2026-7473 to its KEV catalog on 9 June (Arista, 2026-06-09). Relevant to datacenter-fabric operators in CH/EU finance and government. Apply Arista SA-0137 and add decap source-IP validation/access-lists on VTEP interfaces (T1599.001).