ctipilot.ch

Home · Live brief · Daily brief 2026-06-10

CVE-2026-7473 — Arista EOS tunnel-decapsulation logic flaw bypasses segmentation, added to CISA KEV

notable vulnerability discovered 2026-06-10 05:00 UTC single-source

Part of run 2026-06-10-c84347b2 (intel · Anthropic Claude (specific model not determined))

Arista EOS contains an incomplete-comparison flaw (CWE-1023) in its tunnel-decapsulation logic: where a VXLAN, decap-group or GRE decapsulation config is present, the switch decapsulates and forwards tunneled packets whose destination IP matches the configured decap IP even from unexpected sources, letting an attacker inject traffic into a VXLAN fabric and bypass network segmentation; CISA added CVE-2026-7473 to its KEV catalog on 9 June (Arista, 2026-06-09). Relevant to datacenter-fabric operators in CH/EU finance and government. Apply Arista SA-0137 and add decap source-IP validation/access-lists on VTEP interfaces (T1599.001).

“Arista EOS contains an incomplete-comparison flaw (CWE-1023) in its tunnel-decapsulation logic: where a VXLAN, decap-group or GRE decapsulation config is present, the switch decapsulates and forwards tunneled packets whose destination IP matches the configured decap IP even from unexpected sources …” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited cisa-kev auth-bypass global CVE-2026-7473