Organizations Urged to Mitigate as Arista EOS Vulnerability Remains Unpatched
A vulnerability in Arista's Extensible Operating System (EOS) is being actively exploited as a zero-day, but the networking vendor says it has no plans to release a software patch to address the issue.
Arista EOS is a modular, Linux-based network operating system that powers the company's high-performance switching platforms used across data center, cloud, and enterprise environments.
Tracked as CVE-2026-7473 and assigned a CVSS score of 6.9, the flaw stems from insufficient validation of tunnel protocol types in certain configurations. As a result, devices may process and decapsulate tunnel traffic that was never explicitly configured or intended to be accepted.
The vulnerability affects devices configured as tunnel endpoints with a decapsulation IP address, including deployments using decap-groups, Generic Routing Encapsulation (GRE) tunnel interfaces, or Virtual Extensible LAN (VXLAN).
According to Arista, a device configured to decapsulate one tunnel protocol may inadvertently accept and process other tunnel protocols directed to the same IP address, even when those protocols are not enabled.
"This issue has been reported as being exploited in the wild," the company warned in a security advisory published in May.
The flaw impacts Arista's 7020R, 7280R/R2, and 7500R/R2 product families. Additional IP-in-IPv6 and GUE IPv6 decapsulation scenarios may affect 7280R3, 7500R3, and 7800R3 series devices.
Despite evidence of active exploitation, Arista has opted against developing a software fix or hotfix for the vulnerability. Instead, the company is directing customers to implement configuration-based mitigations outlined in its advisory.
"No software upgrade path is planned to address this issue due to the risk of breaking existing configurations in deployed environments," Arista said. "The recommended resolution is to follow the appropriate mitigation instructions."
The decision places added emphasis on defensive configuration management, requiring affected organizations to review and adjust network settings rather than rely on a traditional patching process.
The vulnerability has also drawn the attention of the U.S. Cybersecurity and Infrastructure Security Agency (CISA). On Tuesday, the agency added CVE-2026-7473 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to remediate the issue within two weeks.
CISA simultaneously added two other actively exploited zero-day vulnerabilities to the KEV list: CVE-2026-11645, affecting Google Chrome, and CVE-2026-20245, impacting Cisco SD-WAN deployments.
The inclusion of all three flaws underscores the continued focus on vulnerabilities that are already being weaponized by threat actors, highlighting the need for rapid mitigation even when vendor-issued patches are unavailable.
