Detect Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473) in Microsoft Sentinel
Detects exploitation attempts targeting CVE-2026-7473, an incomplete comparison vulnerability (CWE-1023) in Arista Extensible Operating System (EOS). This flaw allows attackers to bypass authentication or authorization checks due to missing comparison factors, potentially enabling unauthorized access to network device management interfaces. The vulnerability is actively exploited in the wild (CISA KEV). Detection focuses on anomalous management-plane access patterns, unexpected SSH/API sessions, and configuration changes on Arista EOS devices.
MITRE ATT&CK
KQL Detection Query
let AristaDevices = DeviceNetworkEvents
| where RemotePort in (22, 443, 80, 8080, 8443)
| summarize AristaIPs = make_set(RemoteIP) by DeviceName;
let SuspiciousLogins = SigninLogs
| where AppDisplayName has_any ("Arista", "EOS", "eAPI")
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName, LocationDetails;
let NetworkDeviceEvents = CommonSecurityLog
| where DeviceVendor =~ "Arista"
| where Activity has_any ("login", "authentication", "session", "config", "enable", "privilege")
| extend AuthUser = extract(@"user=(\S+)", 1, Message)
| extend SrcIP = coalesce(SourceIP, DeviceAddress)
| where isnotempty(SrcIP);
NetworkDeviceEvents
| join kind=leftouter (
NetworkDeviceEvents
| summarize LoginCount = count(), UniqueUsers = dcount(AuthUser) by SrcIP, bin(TimeGenerated, 1h)
| where LoginCount > 10 or UniqueUsers > 3
) on SrcIP
| where isnotempty(LoginCount)
| union (
CommonSecurityLog
| where DeviceVendor =~ "Arista"
| where Message has_any ("authentication bypass", "privilege escalation", "unauthorized", "config change", "eapi", "management api")
| where TimeGenerated > ago(7d)
)
| project TimeGenerated, DeviceVendor, DeviceProduct, Activity, AuthUser, SrcIP, DestinationIP, Message, Computer
| order by TimeGenerated descDetects anomalous authentication patterns, privilege escalation, and unauthorized configuration changes on Arista EOS devices by correlating CommonSecurityLog events from Arista syslog and management API access. Flags brute-force patterns, unexpected logins, and configuration modifications consistent with CVE-2026-7473 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate network administrators performing bulk configuration changes during maintenance windows
- Automated network monitoring or orchestration tools (Ansible, Terraform, NAPALM) making frequent API calls
- Scheduled compliance audits that enumerate device configurations across many devices
- Network Management Systems (NMS) such as SolarWinds or PRTG polling Arista devices at high frequency
Other platforms for CVE-2026-7473
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Arista EOS eAPI Unauthenticated or Bypass Access Attempt
Expected signal: Arista EOS syslog should generate authentication attempt events for each curl and SSH request, including source IP, timestamp, username, and success/failure status. eAPI HTTP access log (if enabled) should show POST requests to /command-api with HTTP 200 or 401 response codes.
- Test 2Unauthorized Arista EOS Configuration Change via eAPI
Expected signal: Arista EOS syslog should record the configuration change with the username, timestamp, and commands executed. AAA accounting log should capture `configure` mode entry and the `username` command. The `show logging` output on the device should reflect the configuration event.
- Test 3Network Scanning of Arista EOS Management Ports
Expected signal: Network flow records and firewall logs should show TCP SYN packets from the scanning host to ports 22, 443, 8080, and 8443 across multiple destination IPs. Arista EOS devices that received connection attempts should log SSH and HTTPS connection attempts in their management plane logs.
- Test 4Python Netmiko Automation Tool Authentication Probe Against Arista EOS
Expected signal: Arista EOS SSH service will log the connection attempt including source IP, username, and authentication result. If CrowdStrike is deployed on the host running the script, process telemetry will show python3 making outbound TCP connections to port 22 of the target device.
Unlock Pro Content
Get the full detection package for CVE-2026-7473 including response playbook, investigation guide, and atomic red team tests.