Detect Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473) in CrowdStrike LogScale
Detects exploitation attempts targeting CVE-2026-7473, an incomplete comparison vulnerability (CWE-1023) in Arista Extensible Operating System (EOS). This flaw allows attackers to bypass authentication or authorization checks due to missing comparison factors, potentially enabling unauthorized access to network device management interfaces. The vulnerability is actively exploited in the wild (CISA KEV). Detection focuses on anomalous management-plane access patterns, unexpected SSH/API sessions, and configuration changes on Arista EOS devices.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6", "ProcessRollup2", "UserLogon")
| RemotePort IN [22, 443, 8080, 8443]
| CommandLine IN ["*ssh*arista*", "*curl*eapi*", "*python*arista*", "*napalm*", "*netmiko*", "*paramiko*"]
OR (FileName IN ["ssh", "curl", "python3", "python"] AND RemotePort IN [22, 443, 8080, 8443])
| groupBy([RemoteIP, LocalIP, UserName], function=[
count(aid, as=connection_count),
collect(CommandLine, as=commands),
collect(FileName, as=processes),
min(timestamp, as=first_seen),
max(timestamp, as=last_seen)
])
| where connection_count > 3
| sort(connection_count, order=desc)
| limit 200CrowdStrike Falcon query detecting endpoint-side activity consistent with tools used to connect to or exploit Arista EOS management interfaces. Identifies repeated outbound connections to common Arista management ports from known network automation or SSH tools, surfacing lateral movement or exploitation staging.
Data Sources
Required Tables
False Positives & Tuning
- Network engineers using standard SSH clients or Python network automation libraries for legitimate Arista device management
- IT automation servers running Ansible, NAPALM, or Netmiko playbooks against Arista infrastructure
- Security operations tooling performing authorized network device inventory or compliance checks
- Jump servers or bastion hosts with CrowdStrike agents used to proxy legitimate network administrator connections
Other platforms for CVE-2026-7473
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Arista EOS eAPI Unauthenticated or Bypass Access Attempt
Expected signal: Arista EOS syslog should generate authentication attempt events for each curl and SSH request, including source IP, timestamp, username, and success/failure status. eAPI HTTP access log (if enabled) should show POST requests to /command-api with HTTP 200 or 401 response codes.
- Test 2Unauthorized Arista EOS Configuration Change via eAPI
Expected signal: Arista EOS syslog should record the configuration change with the username, timestamp, and commands executed. AAA accounting log should capture `configure` mode entry and the `username` command. The `show logging` output on the device should reflect the configuration event.
- Test 3Network Scanning of Arista EOS Management Ports
Expected signal: Network flow records and firewall logs should show TCP SYN packets from the scanning host to ports 22, 443, 8080, and 8443 across multiple destination IPs. Arista EOS devices that received connection attempts should log SSH and HTTPS connection attempts in their management plane logs.
- Test 4Python Netmiko Automation Tool Authentication Probe Against Arista EOS
Expected signal: Arista EOS SSH service will log the connection attempt including source IP, username, and authentication result. If CrowdStrike is deployed on the host running the script, process telemetry will show python3 making outbound TCP connections to port 22 of the target device.
Unlock Pro Content
Get the full detection package for CVE-2026-7473 including response playbook, investigation guide, and atomic red team tests.