Detect Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473) in Elastic Security
Detects exploitation attempts targeting CVE-2026-7473, an incomplete comparison vulnerability (CWE-1023) in Arista Extensible Operating System (EOS). This flaw allows attackers to bypass authentication or authorization checks due to missing comparison factors, potentially enabling unauthorized access to network device management interfaces. The vulnerability is actively exploited in the wild (CISA KEV). Detection focuses on anomalous management-plane access patterns, unexpected SSH/API sessions, and configuration changes on Arista EOS devices.
MITRE ATT&CK
Elastic Detection Query
sequence by host.name with maxspan=5m
[network where network.transport == "tcp" and destination.port in (22, 443, 8080, 8443)
and (destination.ip != null)
and (process.name in ("ssh", "curl", "python", "python3") or network.application == "ssh")]
[any where event.dataset in ("arista.eos", "system.syslog", "network.device")
and (
message like~ "*arista*" or message like~ "*EOS*" or message like~ "*eapi*"
)
and (
message like~ "*login*" or message like~ "*authentication*" or message like~ "*privilege*" or message like~ "*unauthorized*" or message like~ "*config*"
)
]
| filter sequence_count >= 2Uses EQL sequence detection to correlate network connections to Arista management ports with subsequent syslog events indicating authentication or privilege activity. Sequences within 5 minutes are flagged as potential CVE-2026-7473 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrator SSH sessions immediately followed by EOS configuration events during normal operations
- Network monitoring scripts polling Arista eAPI endpoints on a schedule
- CI/CD pipeline network device configuration automation triggering sequential events
- Security scanning tools probing Arista management interfaces during authorized assessments
Other platforms for CVE-2026-7473
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Arista EOS eAPI Unauthenticated or Bypass Access Attempt
Expected signal: Arista EOS syslog should generate authentication attempt events for each curl and SSH request, including source IP, timestamp, username, and success/failure status. eAPI HTTP access log (if enabled) should show POST requests to /command-api with HTTP 200 or 401 response codes.
- Test 2Unauthorized Arista EOS Configuration Change via eAPI
Expected signal: Arista EOS syslog should record the configuration change with the username, timestamp, and commands executed. AAA accounting log should capture `configure` mode entry and the `username` command. The `show logging` output on the device should reflect the configuration event.
- Test 3Network Scanning of Arista EOS Management Ports
Expected signal: Network flow records and firewall logs should show TCP SYN packets from the scanning host to ports 22, 443, 8080, and 8443 across multiple destination IPs. Arista EOS devices that received connection attempts should log SSH and HTTPS connection attempts in their management plane logs.
- Test 4Python Netmiko Automation Tool Authentication Probe Against Arista EOS
Expected signal: Arista EOS SSH service will log the connection attempt including source IP, username, and authentication result. If CrowdStrike is deployed on the host running the script, process telemetry will show python3 making outbound TCP connections to port 22 of the target device.
Unlock Pro Content
Get the full detection package for CVE-2026-7473 including response playbook, investigation guide, and atomic red team tests.