Overview
- CISA added CVE-2026-7473 to its Known Exploited Vulnerabilities catalog on Wednesday and ordered federal civilian agencies to apply mitigations or fixes by June 23, 2026.
- Arista confirmed the flaw has been exploited in the wild and said it will not issue a software patch because changes to tunnel handling could break existing deployments.
- The bug affects certain platforms such as the 7020R, 7280R/R2, and 7500R/R2 series and only works when a switch is configured as a tunnel endpoint with a decapsulation IP like a VXLAN VTEP, GRE endpoint, or decap-group.
- Exploitation causes a device set to decapsulate one tunnel type to accept and decapsulate other tunnel protocols sent to the same IP, which can let unexpected tunneled traffic be processed or forwarded.
- Arista’s recommended fix is to apply ACLs either upstream or on affected devices to allow legitimate tunnel traffic or block malicious packets, a mitigation that may be operationally complex and less complete than a vendor patch; the issue adds to a 2026 pattern of actively exploited critical zero-days.