Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-7473 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-7473 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-7473 is an incomplete comparison vulnerability in Arista Extensible Operating System (EOS) affecting the packet decapsulation logic on Arista network switches.

Technical Detail

The flaw exists in how Arista EOS handles tunneled packets: the switch fails to perform a complete validation check when decapsulating traffic, causing it to incorrectly decapsulate and forward unexpected tunneled packets whose destination IP matches the device's configured decapsulation IP. An attacker who can send crafted tunneled packets toward the affected switch can exploit this logic gap to cause unintended packet forwarding behavior, potentially bypassing network segmentation controls or injecting traffic into otherwise isolated network segments. The precise impact depends on network topology, but unauthorized traffic forwarding in a core switching context can undermine routing integrity and access control enforcement.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on June 9, 2026. The exploit maturity is rated Operational, meaning functional exploit code or techniques capable of reliably triggering the vulnerability in real environments are in active use, not merely theoretical or proof-of-concept. Organizations running affected Arista EOS versions should treat this as an immediate operational risk.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this CVE in available intelligence sources.

What To Do

Per CISA's Known Exploited Vulnerabilities catalog, federal agencies are required to apply patches or implement mitigations by the deadline specified in Binding Operational Directive 22-01; given the June 9, 2026 KEV listing date, organizations should treat remediation as urgent and target completion no later than June 30, 2026 absent a specific CISA-issued deadline. Administrators should apply the vendor-supplied patch from Arista for the affected EOS versions immediately. As an interim workaround, review and restrict which interfaces and source addresses are permitted to send tunneled traffic to decapsulation endpoints, and apply ingress access control lists to limit exposure to trusted sources only. Network defenders should monitor for anomalous decapsulated traffic appearing on unexpected VLANs or segments, and review tunnel endpoint configurations for signs of unauthorized forwarding activity. Consult Arista's security advisory directly for the specific EOS version matrix and patch availability.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →