CVE-2026-7473 Splunk · SPL

Detect Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473) in Splunk

Detects exploitation attempts targeting CVE-2026-7473, an incomplete comparison vulnerability (CWE-1023) in Arista Extensible Operating System (EOS). This flaw allows attackers to bypass authentication or authorization checks due to missing comparison factors, potentially enabling unauthorized access to network device management interfaces. The vulnerability is actively exploited in the wild (CISA KEV). Detection focuses on anomalous management-plane access patterns, unexpected SSH/API sessions, and configuration changes on Arista EOS devices.

MITRE ATT&CK

Tactic
Initial Access Persistence Defense Evasion

SPL Detection Query

Splunk (SPL)
spl 
index=network sourcetype IN ("arista:eos:syslog", "arista:eos:syslog:kv", "cisco:syslog", "syslog")
(vendor="Arista" OR product="EOS" OR host_type="arista")
| eval auth_user=coalesce(user, src_user, username)
| eval src_addr=coalesce(src_ip, src, sourceip)
| eval action_type=lower(coalesce(action, event_type, ""))
| search (action_type IN ("login", "authentication", "session_start", "config_change", "enable") OR message IN ("*authentication*", "*privilege*", "*eapi*", "*management api*", "*unauthorized*", "*bypass*"))
| bin _time span=10m
| stats count as event_count, dc(auth_user) as unique_users, values(action_type) as actions, values(src_addr) as source_ips, latest(message) as last_message by _time, host
| where event_count > 5 OR unique_users > 2
| eval risk_score=case(
    unique_users > 5, "critical",
    event_count > 50, "critical",
    unique_users > 2, "high",
    event_count > 10, "medium",
    true(), "low"
  )
| where risk_score IN ("critical", "high")
| table _time, host, event_count, unique_users, actions, source_ips, last_message, risk_score
| sort - _time
critical severity medium confidence

Identifies suspicious authentication activity and configuration changes on Arista EOS devices by analyzing syslog data. Flags hosts with elevated authentication event counts or multiple unique users within short time windows, consistent with exploitation of CVE-2026-7473.

Data Sources

Arista EOS syslogNetwork device syslog

Required Sourcetypes

arista:eos:syslogarista:eos:syslog:kvsyslog

False Positives & Tuning

  • Network automation tools performing scheduled configuration pushes to multiple Arista devices
  • Network Operations Center (NOC) engineers performing simultaneous bulk device logins during incident response
  • Legitimate jump server or bastion host accessing multiple Arista devices for monitoring purposes
  • TACACS+/RADIUS server misconfiguration causing repeated authentication retries from valid users

Other platforms for CVE-2026-7473

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Arista EOS eAPI Unauthenticated or Bypass Access Attempt

    Expected signal: Arista EOS syslog should generate authentication attempt events for each curl and SSH request, including source IP, timestamp, username, and success/failure status. eAPI HTTP access log (if enabled) should show POST requests to /command-api with HTTP 200 or 401 response codes.

  2. Test 2Unauthorized Arista EOS Configuration Change via eAPI

    Expected signal: Arista EOS syslog should record the configuration change with the username, timestamp, and commands executed. AAA accounting log should capture `configure` mode entry and the `username` command. The `show logging` output on the device should reflect the configuration event.

  3. Test 3Network Scanning of Arista EOS Management Ports

    Expected signal: Network flow records and firewall logs should show TCP SYN packets from the scanning host to ports 22, 443, 8080, and 8443 across multiple destination IPs. Arista EOS devices that received connection attempts should log SSH and HTTPS connection attempts in their management plane logs.

  4. Test 4Python Netmiko Automation Tool Authentication Probe Against Arista EOS

    Expected signal: Arista EOS SSH service will log the connection attempt including source IP, username, and authentication result. If CrowdStrike is deployed on the host running the script, process telemetry will show python3 making outbound TCP connections to port 22 of the target device.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-7473 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0005Defense Evasion

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication ProcessT1021.004SSH

Same Tactic: Initial Access

Popular Detections