CISA has added CVE‑2026‑7473 to its Known Exploited Vulnerabilities catalogue. The entry concerns Arista’s Extensible Operating System (EOS) and covers the “Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability.”
The flaw resides in the packet handling logic of EOS, where an incomplete comparison with missing factors allows a switch to incorrectly decapsulate and forward unexpected tunneled packets when the destination IP matches the switch’s configured decapsulation IP. This can enable an attacker to bypass intended traffic isolation and potentially inject or intercept data. The vulnerability is rated CVSS 6.9 (Medium). No patch information is available in the NVD entry, and the patch status is listed as unknown.
Because the vulnerability appears in the KEV catalogue, active exploitation has been confirmed in the wild. CISA has not linked this flaw to any known ransomware campaign; the known ransomware use is marked as unknown. Federal agencies must apply mitigations by the remediation due date of 2026‑06‑23.
CISA’s required action is to “Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” This directive binds Federal Civilian Executive Branch (FCEB) agencies; all other organisations are advised to review their exposure to Arista EOS and implement the same mitigations where feasible.
For full technical details, refer to the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-7473 and the CISA KEV catalogue.