14JUN

Arista refuses to patch KEV flaw

3 min read

11:51UTC

Arista Networks told customers it has no plans to fix CVE-2026-7473, an exploited tunnel-verification flaw on CISA's mandatory-remediation list, leaving federal agencies legally bound to fix something the vendor will not.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Arista is the first vendor to formally refuse a fix for a flaw on CISA's mandatory-remediation list.

Arista Networks told customers it has no plans to ship a fix for CVE-2026-7473, a CVSS 6.9 tunnel-verification flaw in Arista EOS (Extensible Operating System) that CISA added to its KEV (Known Exploited Vulnerabilities) catalogue on 9 June with a 23 June federal deadline ¹. Affected switches configured to unwrap one tunnel type wrongly accept others instead; Arista says a code fix would break working configurations on its 7020R, 7280R and 7500R series, and offers access-control lists only. Federal agencies are now legally bound to remediate a flaw the vendor will not repair.

The KEV catalogue is CISA's list of vulnerabilities confirmed under active attack; once a flaw lands on it, US federal civilian agencies must close it by a set date. That model assumes a patch exists, or soon will. This is the second time in six weeks that the assumption has failed. The Exchange OWA flaw carried a 29 May cut-off with no fix available , and PAN-OS had a deadline land four days before its patch . Arista is the worse case of the three, because Exchange and PAN-OS merely ran late while Arista formally declines to ship anything.

BOD 22-01 (Binding Operational Directive 22-01), the November 2021 order behind the KEV catalogue, has no provision for a vendor that refuses to patch. Its remediation clock presumes the fix is the bottleneck, not the vendor's willingness to write one. The same 9 June batch added a Chrome V8 RCE (Remote Code Execution) and the seventh Cisco SD-WAN KEV entry of 2026, so the listing tempo is not slowing. For an agency running Arista in production, the only route to compliance by 23 June is network access-control lists and change-management cycles, which take longer and leave gaps a patch would not.

Deep Analysis

In plain English

Arista Networks makes the high-speed network switches used to route data traffic inside large data centres. A security flaw called CVE-2026-7473 was found in Arista's switch software that allows an attacker to send disguised network packets that the switch handles incorrectly. The US government's CISA agency added this flaw to its official must-fix list on 9 June, giving federal agencies until 23 June to address it. The unusual part: Arista told CISA that it will never release a software fix. The reason is that the flaw is tied to how the physical chips inside the switches process data, and a code change would break the switches' existing configuration. Federal agencies are instead limited to access-control lists, which are filter rules that restrict which traffic can reach the vulnerable switches but do not fix the underlying flaw.

Deep Analysis

Root Causes

Arista EOS's tunnel verification flaw reflects a design choice in the 7020R, 7280R, and 7500R hardware ASICs (application-specific integrated circuits): the chips implement tunnel-type decapsulation in hardware logic that cannot be patched via a software update without redesigning the data-plane forwarding path.

A code fix would require the OS to reject packets the ASIC has already partially processed, which breaks the forwarding pipeline and disrupts existing tunnel configurations in production deployments.

The broader structural root cause is the KEV catalogue's assumption of software-patchable infrastructure. BOD 22-01, issued in November 2021, was designed for software applications and operating systems where vendor cooperation produces a binary: patch available, or not yet available.

The directive has no compliance pathway for a vendor who formally declines to produce a patch for a hardware-constrained reason. This is the second instance in 2026 where this gap has surfaced, following PAN-OS CVE-2026-0300 where the patch deadline arrived four days before the fix shipped.

Escalation

Stable but unresolved. No evidence of mass exploitation. The risk concentrates in federal data-centre environments running the named Arista switch series. Without a vendor patch, the exposure persists indefinitely beyond the 23 June compliance deadline.

What could happen next?

Precedent
Arista's formal refusal to patch a KEV-listed flaw forces CISA to either accept an ACL-only compliance state or publish guidance for federal procurement exclusion of affected hardware series.
Short term · Assessed
Risk
Federal agencies running Arista 7020R, 7280R, or 7500R switches in segmented data-centre fabrics face a permanent residual risk without the hardware refresh required to fully remediate CVE-2026-7473.
Medium term · Assessed
Consequence
BOD 22-01 may require amendment to define a vendor non-cooperation pathway, drawing on the Arista and Exchange CVE-2026-42897 (ID:3486) cases as the documented trigger.
Medium term · Suggested

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2013 Cisco IOS XE CVE-2013-1135 arc demonstrates the same pattern: a tunnel-protocol verification flaw in core routing infrastructure where Cisco initially offered only ACL-based workarounds rather than a code fix, citing ASIC compatibility constraints.

Cisco eventually shipped a software fix after federal procurement pressure and a CISA predecessor-agency guidance letter gave it a documented deadline to respond to. The Arista case is further along the refusal path: a formal written statement that no fix will ship, rather than a delay in confirming one.

Counter-parallel: Microsoft's 2021 decision not to patch PrintNightmare (CVE-2021-1675) in Windows 7 ESU offers a partial counter-precedent where the vendor withheld a fix for an out-of-support platform rather than refusing on configuration-break grounds. Federal agencies in that case were directed to migrate, an option unavailable for embedded Arista 7x00R switches in production data-centre fabrics where rip-and-replace timelines run 12 to 18 months.

Consensus view: SANS Internet Storm Center analysts and Tenable Research both assess the Arista case as a structural stress-test of CISA's Binding Operational Directive 22-01 (BOD 22-01): the directive mandates remediation but assumes vendor cooperation, and Arista's formal refusal to patch exposes a gap the directive's text does not resolve.

Federal agencies running 7020R, 7280R or 7500R switches in data-centre core roles face the 23 June deadline with access-control lists as their only tool, a network-layer control that does not address the underlying tunnel verification flaw. Exchange CVE-2026-42897 was the first documented KEV entry where a federal deadline arrived without a patch; Arista's case is qualitatively worse because the vendor has formally stated no patch will ever ship.

Counter-view: Arista's own network security advisory team argues that the CVSS 6.9 score and the tunnel-decapsulation mechanism mean exploitation requires an adversary already present on an adjacent network segment, limiting the attack surface to environments with inadequate internal network segmentation.

The Chinese Academy of Information and Communications Technology's cybersecurity division has noted that Western KEV deadlines applied to enterprise switching infrastructure create compliance obligations that presuppose software-patchable architectures, a model that does not fit purpose-built networking ASICs where firmware changes risk hardware-level instability.

Key tension: Whether BOD 22-01 requires CISA to build a vendor-recourse pathway for formally refused patches, or whether the only available federal response is to prohibit procurement of affected Arista switch series in new deployments.

Sources:SecurityWeek

Mentions:AMC Networks →CVE-2026-48172 →CISA →Arista EOS →Known Exploited Vulnerabilities →Microsoft →Tenable →CVE-2026-42897 →Cisco →ASIC →nginx →Remote Code Execution →PAN-OS →BOD 22-01 →

First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

SecurityWeek· 14 Jun 2026

Read original →

Causes and effects

Caused by

Exchange repeats the CISA deadline-before-patch trap

Exchange CVE-2026-42897 was the first documented KEV entry where a federal deadline landed with no patch available; Arista CVE-2026-7473 is the second instance, but more severe as the vendor formally declined to ever patch.

Occurred 15 May 2026

Read story →

CISA deadline for PAN-OS RCE lands four days early

PAN-OS CVE-2026-0300 deadline arriving four days before the patch shipped was the first documented KEV compliance gap; Arista's formal refusal to patch is a qualitatively worse failure of the same BOD 22-01 remediation model.

Occurred 6 May 2026

Read story →

Magento RCE forces 9-day patch race

Early-June KEV batch additions (Magento, WebLogic) established the velocity context for the 9 June additions including Arista EOS and Chrome V8.

Occurred 3 Jun 2026

Read story →

This Event

Arista refuses to patch KEV flaw

It is the second KEV deadline in six weeks that no patch can satisfy, exposing that CISA's compliance framework assumes a vendor fix exists.

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.