COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-7473

CVE-2026-7473

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-06-09
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-7473
⚡ RCE ⌖ exploited in the wild shame 65/100 exploited-in-wildunpatchedransomware

Arista EOS misdecapsulates tunneled packets due to an incomplete comparison vulnerability, enabling attackers to bypass security controls and potentially execute code on network devices.

This vulnerability allows attackers to exploit EOS switches by sending malformed tunneled packets that bypass decapsulation checks, potentially leading to remote code execution on network infrastructure. Defense-industrial-base organizations must patch immediately to prevent unauthorized access to critical network devices, as this could compromise the confidentiality and integrity of sensitive data in transit.

Shame score — Arista shipped a network OS with a critical security flaw that was actively exploited in the wild, indicating a failure to adequately secure their widely-deployed product.

Players implicated

Arista · vendorExtensible Operating System · product

Description

Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.