Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
30APR

Arista refuses to patch KEV flaw

3 min read
08:16UTC

Arista Networks told customers it has no plans to fix CVE-2026-7473, an exploited tunnel-verification flaw on CISA's mandatory-remediation list, leaving federal agencies legally bound to fix something the vendor will not.

TechnologyDeveloping
Key takeaway

Arista is the first vendor to formally refuse a fix for a flaw on CISA's mandatory-remediation list.

Arista Networks told customers it has no plans to ship a fix for CVE-2026-7473, a CVSS 6.9 tunnel-verification flaw in Arista EOS (Extensible Operating System) that CISA added to its KEV (Known Exploited Vulnerabilities) catalogue on 9 June with a 23 June federal deadline 1. Affected switches configured to unwrap one tunnel type wrongly accept others instead; Arista says a code fix would break working configurations on its 7020R, 7280R and 7500R series, and offers access-control lists only. Federal agencies are now legally bound to remediate a flaw the vendor will not repair.

The KEV catalogue is CISA's list of vulnerabilities confirmed under active attack; once a flaw lands on it, US federal civilian agencies must close it by a set date. That model assumes a patch exists, or soon will. This is the second time in six weeks that the assumption has failed. The Exchange OWA flaw carried a 29 May cut-off with no fix available , and PAN-OS had a deadline land four days before its patch . Arista is the worse case of the three, because Exchange and PAN-OS merely ran late while Arista formally declines to ship anything.

BOD 22-01 (Binding Operational Directive 22-01), the November 2021 order behind the KEV catalogue, has no provision for a vendor that refuses to patch. Its remediation clock presumes the fix is the bottleneck, not the vendor's willingness to write one. The same 9 June batch added a Chrome V8 RCE (Remote Code Execution) and the seventh Cisco SD-WAN KEV entry of 2026, so the listing tempo is not slowing. For an agency running Arista in production, the only route to compliance by 23 June is network access-control lists and change-management cycles, which take longer and leave gaps a patch would not.

Deep Analysis

In plain English

Arista Networks makes the high-speed network switches used to route data traffic inside large data centres. A security flaw called CVE-2026-7473 was found in Arista's switch software that allows an attacker to send disguised network packets that the switch handles incorrectly. The US government's CISA agency added this flaw to its official must-fix list on 9 June, giving federal agencies until 23 June to address it. The unusual part: Arista told CISA that it will never release a software fix. The reason is that the flaw is tied to how the physical chips inside the switches process data, and a code change would break the switches' existing configuration. Federal agencies are instead limited to access-control lists, which are filter rules that restrict which traffic can reach the vulnerable switches but do not fix the underlying flaw.

Deep Analysis
Root Causes

Arista EOS's tunnel verification flaw reflects a design choice in the 7020R, 7280R, and 7500R hardware ASICs (application-specific integrated circuits): the chips implement tunnel-type decapsulation in hardware logic that cannot be patched via a software update without redesigning the data-plane forwarding path.

A code fix would require the OS to reject packets the ASIC has already partially processed, which breaks the forwarding pipeline and disrupts existing tunnel configurations in production deployments.

The broader structural root cause is the KEV catalogue's assumption of software-patchable infrastructure. BOD 22-01, issued in November 2021, was designed for software applications and operating systems where vendor cooperation produces a binary: patch available, or not yet available.

The directive has no compliance pathway for a vendor who formally declines to produce a patch for a hardware-constrained reason. This is the second instance in 2026 where this gap has surfaced, following PAN-OS CVE-2026-0300 where the patch deadline arrived four days before the fix shipped.

Escalation

Stable but unresolved. No evidence of mass exploitation. The risk concentrates in federal data-centre environments running the named Arista switch series. Without a vendor patch, the exposure persists indefinitely beyond the 23 June compliance deadline.

What could happen next?
  • Precedent

    Arista's formal refusal to patch a KEV-listed flaw forces CISA to either accept an ACL-only compliance state or publish guidance for federal procurement exclusion of affected hardware series.

    Short term · Assessed
  • Risk

    Federal agencies running Arista 7020R, 7280R, or 7500R switches in segmented data-centre fabrics face a permanent residual risk without the hardware refresh required to fully remediate CVE-2026-7473.

    Medium term · Assessed
  • Consequence

    BOD 22-01 may require amendment to define a vendor non-cooperation pathway, drawing on the Arista and Exchange CVE-2026-42897 (ID:3486) cases as the documented trigger.

    Medium term · Suggested
First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

SecurityWeek· 14 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.