Arista Refuses to Patch Exploited Flaw Added to CISA KEV

CISA added CVE-2026-7473 to its Known Exploited Vulnerabilities catalog on Tuesday, giving federal agencies two weeks to address the issue. One problem: Arista has announced no patch is coming.

The network equipment vendor says fixing the vulnerability would "break existing configuration on deployments," so organizations must apply mitigations or stop using affected devices entirely.

What the Vulnerability Does

CVE-2026-7473 affects Arista EOS devices configured for tunnel decapsulation—VXLAN, GRE, or decap-groups. The flaw allows the device to accept and process tunnel traffic it wasn't explicitly configured to handle.

As Arista explains in Security Advisory 0137: "A device configured to decapsulate one tunnel type will also incorrectly accept and decapsulate other tunnel protocols destined to the same IP address."

An attacker who can send packets to a vulnerable device's tunnel endpoint IP could inject traffic into networks they shouldn't have access to, bypass segmentation controls, or conduct reconnaissance on internal network topology.

The CVSS score is 6.9—moderate severity—but active exploitation prompted CISA's KEV addition. CISA has been aggressive about adding vulnerabilities to the KEV catalog this year, prioritizing real-world exploitation over theoretical severity.

Affected Devices

The vulnerability impacts:

• 7020R series
• 7280R/R2 series
• 7500R/R2 series

Additional impacts affect 7280R3, 7500R3, and 7800R3 series under specific IP-in-IPv6 and GUE IPv6 scenarios.

Why No Patch

Arista's decision not to release a software fix is unusual. The company's reasoning: "No software upgrade path is planned to address this issue due to the risk of breaking existing configuration on deployments."

This puts organizations in an uncomfortable position. They can apply Arista's recommended mitigations—primarily ACLs on upstream devices or the affected switches to filter illegitimate tunnel traffic—or they can replace the equipment. Neither option is simple for production networks.

For federal agencies subject to CISA's Binding Operational Directive 22-01, the KEV addition means they must address the vulnerability by June 23, 2026. "Address" may mean isolation, compensating controls, or removal from service—not a patch that doesn't exist.

Mitigations

Arista's advisory recommends:

1. Apply ACLs on upstream devices to block unauthorized tunnel protocols before they reach vulnerable switches

2. Apply ACLs on the affected devices to selectively allow only legitimate tunnel traffic or block malicious traffic

3. Review network segmentation to ensure compromised tunnel decapsulation can't reach sensitive network segments

4. Consider retiring affected devices if mitigations can't adequately reduce risk

Why This Matters

Vendors occasionally decline to patch vulnerabilities, usually citing end-of-life products or architectural limitations. Arista's case is different—these are current products that the vendor actively sells and supports.

The "it would break things" rationale puts security teams in a difficult spot. Network infrastructure changes are disruptive and require careful planning. Organizations may be running configurations that depend on the current (flawed) behavior, making the transition to mitigated configurations complex.

CISA's decision to add the CVE to KEV despite no patch signals how seriously the agency views the exploitation activity. Federal agencies have no choice but to implement workarounds. Private sector organizations should treat this with similar urgency.

For network teams managing Arista deployments, start by identifying which devices are running tunnel decapsulation configurations and assess exposure. Then work with Arista support on implementing the recommended ACL-based mitigations. Document everything—auditors will want to see how you addressed a KEV entry without a patch.

This situation also highlights the importance of vendor security responsiveness when evaluating network equipment purchases. Organizations should ask vendors how they handle vulnerabilities that are difficult to patch—before those decisions affect production networks.