No Patch Planned for Exploited Arista EOS Vulnerability

No Patch Planned for Exploited Arista EOS Vulnerability

https://www.securityweek.com/no-patch-planned-for-exploited-arista-eos-vulnerability/

Publish Date: 2026-06-10 02:38:32

Source Domain: www.securityweek.com

Threat of Ongoing Exploitation of Arista EOS Vulnerability

Cybercriminals have exploited a zero-day vulnerability in Arista’s Extensible Operating System (EOS), a Linux-based solution used in high-performance network switches. Tracked as CVE-2026-7473, this flaw occurs due to inadequate verification of tunnel protocol types, allowing unauthorized tunnel traffic processing under specific configurations. This vulnerability impacts the 7020R, 7280R/R2, and 7500R/R2 series and certain IP-in-IPv6 and GRE IPV6 group scenarios of the 7280R3, 7500R3, and 7800R3 series. Despite reported exploitation in the wild, Arista announced no software upgrade path will address this issue due to potential configuration disruptions. Federal agencies have been advised by the US CISA to mitigate the risk within two weeks due to its addition to the Known Exploited Vulnerabilities (KEV) list.

Key Points:

• Vulnerability CVE-2026-7473 in Arista EOS is being actively exploited in the wild.
• The flaw allows unauthorized tunnel traffic processing for certain network switch configurations.
• No patch will be released due to the risk of disrupting existing configurations.
• CISA has added the exploit to its Known Exploited Vulnerabilities list.
• Federal agencies are urged to address the issue within two weeks.