Arista EOS Tunnel Bug: No Patch, Scanners Can't See It - CVE-2026-7463 - Eclypsium | Supply Chain Security for the Modern Enterprise
Platform
Platform Overview
Protect critical software, firmware, and hardware in enterprise and national infrastructure.
Learn More
Eclypsium Protects:
User Endpoints
Servers
Network Devices
AI Hardware
Featured post
Take an interactive tour of the Eclypsium platform.
Take a Tour
Solutions
Solutions Overview
Build trust in every critical asset in your enterprise.
Read More
By Use Case
Device Lifecycle
• Onboarding
• Production
• Decommissioning
Firmware Security
BY INITIATIVE
Regulatory Compliance
Cyber Supply Chain Security (C-SCRM)
Threat Exposure Management (CTEM)
Ransomware Defense
Zero Trust<br>for Endpoints
By Industry
Energy and Utilities
Financial Services
Government
Telecommunications
Featured Post
Take an interactive tour of the Eclypsium platform.
Take a Tour
Resources
All Resources
Learn More
Case Studies
Demos & Videos
Events & Webinars
Podcasts
Solution Briefs
Reports and eBooks
White Papers
Blog
Newsletter
Support
Latest Blogs
Blog
No Patch Coming: The Arista EOS Tunnel Bug Your Scanner Will Miss
Learn more
Blog
You Need to Verify the Hardware Supply Chain Behind Cyber-Physical Systems
Learn more
Research
Company
Company Overview
We exist to defend the foundation of enterprise and national infrastructure.
Learn More
Team
Newsroom
Careers
Partners
Security and Trust
Contact
US
JP
Get a demo
Take a Tour
Search
US
JP
Get a demo
Take a Tour
Platform
Platform Overview
Protect critical software, firmware, and hardware in enterprise and national infrastructure.
Learn More
Eclypsium Protects:
User Endpoints
Servers
Network Devices
AI Hardware
Featured post
Take an interactive tour of the Eclypsium platform.
Take a Tour
Solutions
Solutions Overview
Build trust in every critical asset in your enterprise.
Read More
By Use Case
Device Lifecycle
• Onboarding
• Production
• Decommissioning
Firmware Security
BY INITIATIVE
Regulatory Compliance
Cyber Supply Chain Security (C-SCRM)
Threat Exposure Management (CTEM)
Ransomware Defense
Zero Trust<br>for Endpoints
By Industry
Energy and Utilities
Financial Services
Government
Telecommunications
Featured Post
Take an interactive tour of the Eclypsium platform.
Take a Tour
Resources
All Resources
Learn More
Case Studies
Demos & Videos
Events & Webinars
Podcasts
Solution Briefs
Reports and eBooks
White Papers
Blog
Newsletter
Support
Latest Blogs
Blog
No Patch Coming: The Arista EOS Tunnel Bug Your Scanner Will Miss
Learn more
Blog
You Need to Verify the Hardware Supply Chain Behind Cyber-Physical Systems
Learn more
Research
Company
Company Overview
We exist to defend the foundation of enterprise and national infrastructure.
Learn More
Team
Newsroom
Careers
Partners
Security and Trust
Contact
Blog
No Patch Coming: The Arista EOS Tunnel Bug Your Scanner Will Miss
By:<br>Paul Asadoorian
June 16, 2026
CVE-2026-7473 allows an attacker to sneak traffic into your network; there is no fix planned, and because the flaw lives in configuration rather than in a version number, your scanner will likely miss it.
Vulnerability Details – The Package You Weren’t Expecting
An actively exploited vulnerability (CVE-2026-7473) in some Arista EOS switches with a tunnel decapsulation configuration interface causes the switch to forward unexpected, improperly decapsulated traffic. Vulnerability scanners won’t catch this, since it depends on a misconfiguration.
Some background understanding is important to recognize why this category of vulnerability is so dangerous and so hard to detect. A high percentage of network traffic does not travel directly across the network. It is first wrapped inside another packet. I will use the mailroom analogy: tunneling protocols are like sealing a letter in a shipping box to ensure it survives the trip. Wrapping traffic like this is what people mean by "tunneling." There are several different tunneling protocols, such as VXLAN, GRE, and IP-in-IP. The names matter less than the basic idea: the switch’s job is to receive these wrapped packets, unwrap them (a process called decapsulation), and forward their contents to the right place on the network. When tunneling is set up, you give the mailroom two pieces of information: the address to which wrapped packets should be sent and the wrapping format those packets should use. From then on, you assume the mailroom opens packages only if they arrive at that address in the format you specified. That assumption is the entire basis on which you reason about what traffic can reach the inside of your network.
CVE-2026-7473 breaks that assumption because affected Arista EOS switches check the address on the outside of the package but never check what kind of wrapping it is, so they will open and forward the contents of any wrapped packet sent to...