Which SIEM platforms have a CVE-2026-7473 detection rule?

df00tech provides CVE-2026-7473 (Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2026-7473 detection?

The CVE-2026-7473 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2026-7473?

Common false positives for CVE-2026-7473 include: Legitimate network administrators performing bulk configuration changes during maintenance windows; Automated network monitoring or orchestration tools (Ansible, Terraform, NAPALM) making frequent API calls; Scheduled compliance audits that enumerate device configurations across many devices.

CVE-2026-7473 Google Chronicle · YARA-L

Detect Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473) in Google Chronicle

Q: What data sources are required to detect Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473) (CVE-2026-7473)?

Detecting Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473) requires the following data sources: CommonSecurityLog, SigninLogs, DeviceNetworkEvents, Syslog.

Detects exploitation attempts targeting CVE-2026-7473, an incomplete comparison vulnerability (CWE-1023) in Arista Extensible Operating System (EOS). This flaw allows attackers to bypass authentication or authorization checks due to missing comparison factors, potentially enabling unauthorized access to network device management interfaces. The vulnerability is actively exploited in the wild (CISA KEV). Detection focuses on anomalous management-plane access patterns, unexpected SSH/API sessions, and configuration changes on Arista EOS devices.

MITRE ATT&CK

Tactic: Initial Access Persistence Defense Evasion

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule cve_2026_7473_arista_eos_auth_bypass {
  meta:
    author = "df00tech detection engineering"
    description = "Detects potential exploitation of CVE-2026-7473 in Arista EOS via anomalous authentication and management API access patterns"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137"

  events:
    (
      $e.metadata.product_name = /arista/i or
      $e.metadata.vendor_name = /arista/i or
      $e.target.application = /EOS/i or
      $e.network.application_protocol = "SSH"
    )
    and (
      $e.metadata.event_type = "USER_LOGIN" or
      $e.metadata.event_type = "USER_UNCATEGORIZED" or
      $e.metadata.event_type = "NETWORK_CONNECTION"
    )
    and (
      $e.target.port = 22 or
      $e.target.port = 443 or
      $e.target.port = 8080 or
      $e.target.port = 8443
    )
    and $e.principal.ip != ""

  match:
    $e.principal.ip over 10m

  outcome:
    $risk_score = max(if($e.metadata.event_type = "USER_LOGIN", 50, 25))
    $target_host = array_distinct($e.target.hostname)
    $src_ip = $e.principal.ip

  condition:
    #e > 5
}

critical severity medium confidence

Chronicle YARA-L rule detecting sustained SSH or management API access patterns targeting Arista EOS devices from a single source IP. Triggers on more than 5 login or connection events within 10 minutes, indicating possible authentication bypass exploitation.

Data Sources

Chronicle UDM eventsNetwork device ingestion via Chronicle forwarderGoogle Cloud Chronicle SIEM

Required Tables

udm_events

False Positives & Tuning

Legitimate automated configuration management tools generating frequent management connections to Arista devices
Network monitoring agents polling Arista eAPI at high frequency for telemetry collection
Authorized penetration testing or vulnerability scanning activities targeting network infrastructure
Clustered Arista devices in MLAG or EVPN configurations generating peer management traffic

Other platforms for CVE-2026-7473

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Arista EOS eAPI Unauthenticated or Bypass Access Attempt
Expected signal: Arista EOS syslog should generate authentication attempt events for each curl and SSH request, including source IP, timestamp, username, and success/failure status. eAPI HTTP access log (if enabled) should show POST requests to /command-api with HTTP 200 or 401 response codes.
Test 2Unauthorized Arista EOS Configuration Change via eAPI
Expected signal: Arista EOS syslog should record the configuration change with the username, timestamp, and commands executed. AAA accounting log should capture `configure` mode entry and the `username` command. The `show logging` output on the device should reflect the configuration event.
Test 3Network Scanning of Arista EOS Management Ports
Expected signal: Network flow records and firewall logs should show TCP SYN packets from the scanning host to ports 22, 443, 8080, and 8443 across multiple destination IPs. Arista EOS devices that received connection attempts should log SSH and HTTPS connection attempts in their management plane logs.
Test 4Python Netmiko Automation Tool Authentication Probe Against Arista EOS
Expected signal: Arista EOS SSH service will log the connection attempt including source IP, username, and authentication result. If CrowdStrike is deployed on the host running the script, process telemetry will show python3 making outbound TCP connections to port 22 of the target device.

Last updated: 2026-06-19 Research depth: standard

References (3)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-7473 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0003Persistence TA0005Defense Evasion

Related Techniques

T1190Exploit Public-Facing Application T1078Valid Accounts T1556Modify Authentication Process T1021.004SSH

Detect Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473) in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2026-7473

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2026-7473

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox