Detect Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473) in IBM QRadar
Detects exploitation attempts targeting CVE-2026-7473, an incomplete comparison vulnerability (CWE-1023) in Arista Extensible Operating System (EOS). This flaw allows attackers to bypass authentication or authorization checks due to missing comparison factors, potentially enabling unauthorized access to network device management interfaces. The vulnerability is actively exploited in the wild (CISA KEV). Detection focuses on anomalous management-plane access patterns, unexpected SSH/API sessions, and configuration changes on Arista EOS devices.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
destinationport,
username,
QIDNAME(qid) AS event_name,
category,
logsourcename(logsourceid) AS log_source,
UTF8(payload) AS raw_payload,
magnitude
FROM events
WHERE
logsourcetypename(devicetype) ILIKE '%arista%'
OR LOWER(UTF8(payload)) LIKE '%arista%'
OR LOWER(UTF8(payload)) LIKE '%eos%'
AND (
LOWER(UTF8(payload)) LIKE '%login%'
OR LOWER(UTF8(payload)) LIKE '%authentication%'
OR LOWER(UTF8(payload)) LIKE '%eapi%'
OR LOWER(UTF8(payload)) LIKE '%privilege%'
OR LOWER(UTF8(payload)) LIKE '%unauthorized%'
OR LOWER(UTF8(payload)) LIKE '%config%change%'
OR destinationport IN (22, 443, 8080, 8443)
)
AND starttime > NOW() - 7 DAYS
GROUP BY sourceip, username, destinationip
HAVING COUNT(*) > 5
ORDER BY magnitude DESC, event_time DESC
LIMIT 500Queries QRadar for authentication and management access events from Arista EOS devices, grouping by source IP and username to surface repeated access patterns. Targets syslog and flow records matching Arista device identifiers with elevated event counts indicative of CVE-2026-7473 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate high-frequency polling from network management systems generating repetitive authentication events
- Automated backup scripts accessing multiple Arista devices within the detection window
- TACACS+ authentication server forwarding legitimate repeated requests from valid network engineers
- Security information management platforms aggregating Arista logs and generating correlated events
Other platforms for CVE-2026-7473
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Arista EOS eAPI Unauthenticated or Bypass Access Attempt
Expected signal: Arista EOS syslog should generate authentication attempt events for each curl and SSH request, including source IP, timestamp, username, and success/failure status. eAPI HTTP access log (if enabled) should show POST requests to /command-api with HTTP 200 or 401 response codes.
- Test 2Unauthorized Arista EOS Configuration Change via eAPI
Expected signal: Arista EOS syslog should record the configuration change with the username, timestamp, and commands executed. AAA accounting log should capture `configure` mode entry and the `username` command. The `show logging` output on the device should reflect the configuration event.
- Test 3Network Scanning of Arista EOS Management Ports
Expected signal: Network flow records and firewall logs should show TCP SYN packets from the scanning host to ports 22, 443, 8080, and 8443 across multiple destination IPs. Arista EOS devices that received connection attempts should log SSH and HTTPS connection attempts in their management plane logs.
- Test 4Python Netmiko Automation Tool Authentication Probe Against Arista EOS
Expected signal: Arista EOS SSH service will log the connection attempt including source IP, username, and authentication result. If CrowdStrike is deployed on the host running the script, process telemetry will show python3 making outbound TCP connections to port 22 of the target device.
Unlock Pro Content
Get the full detection package for CVE-2026-7473 including response playbook, investigation guide, and atomic red team tests.