HACKERS are exploiting a vulnerability in Arista's Extensible Operating System (EOS), tracked as CVE-2026-7473, which has a CVSS score of 6.9. This zero-day flaw allows incorrect processing of tunnel traffic in specific configurations, affecting models including 7020R, 7280R/R2, and 7500R/R2. Despite being reported as actively exploited, Arista will not release patches due to potential risks to existing configurations.
The US cybersecurity agency CISA has included this vulnerability in its Known Exploited Vulnerabilities list, recommending mitigation actions for federal agencies. Arista offers guidance for mitigation instead of software fixes.