Arista EOS tunnel decap bypass (CVE-2026-7473) [PoC]

Actively exploited in the wild - CVE-2026-7473 is a medium-severity tunnel decapsulation vulnerability in Arista EOS that lets attackers send unexpected tunneled packets to be decapsulated and processed by the switch. CISA confirms active exploitation; apply the vendor-supplied EOS patch or disable unused tunnel decapsulation interfaces.

Overview

CVE-2026-7473 affects Arista EOS platforms where a tunnel decapsulation configuration is present, such as VXLAN, decap-groups, or GRE tunnel interfaces. The switch incorrectly decapsulates and forwards tunneled packets that arrive with a destination IP matching the configured decapsulation IP, regardless of the actual tunnel protocol type. This means an attacker can send arbitrary tunnel-encapsulated traffic to the switch, and the device will process it even if that tunnel type was never enabled or intended for use.

The flaw arises from missing protocol-type verification during the decapsulation process. When the switch sees a packet destined for its decapsulation IP address, it assumes the packet belongs to a configured tunnel and processes it accordingly. An attacker who can send traffic to the switch’s management or data-plane IP can exploit this to inject packets that bypass security controls or trigger unintended forwarding behavior.

Affected Products

All Arista EOS platforms are potentially vulnerable if they have any of the following configured:

• VXLAN tunnel interfaces
• Decap-group definitions
• GRE tunnel interfaces

Impact

The primary impact is that an attacker can send non-standard or unexpected tunnel-encapsulated packets to the switch, which will then be decapsulated and forwarded as normal traffic. This can allow an attacker to bypass network segmentation, inject spoofed traffic, or cause the switch to process malicious payloads. The CVSS 6.9 score reflects the medium severity, as exploitation requires the ability to send traffic to the switch’s decapsulation IP.

Remediation and Mitigation

Immediate Action: Apply the EOS security update provided by Arista. Check your EOS version against the vendor advisory for the patched release.

Alternative Mitigation:

• Disable any tunnel decapsulation interfaces that are not actively required for operations.
• Restrict access to the switch’s management and data-plane IP addresses to trusted networks only.
• Monitor for unexpected tunnel-encapsulated traffic reaching the management interface.

Security Insight

This vulnerability highlights a recurring architectural weakness in network devices: the assumption that any tunneled packet arriving at a configured IP is legitimate by default. Unlike application-layer firewalls or IDS/IPS systems, many high-speed ASIC-based switches lack the processing logic to validate tunnel protocol metadata before forwarding. This CVE-2026-7473 incident is a reminder that network teams should treat tunnel decapsulation interfaces as attack surfaces in their own right, and apply zero-trust principles to data-plane packet processing. Organizations with heavy VXLAN or GRE deployments should audit their switch configurations for unused decapsulation endpoints and remove them as part of their hardening procedures.

Further Reading

• All Medium Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs