Detect Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473) in Sumo Logic CSE
Detects exploitation attempts targeting CVE-2026-7473, an incomplete comparison vulnerability (CWE-1023) in Arista Extensible Operating System (EOS). This flaw allows attackers to bypass authentication or authorization checks due to missing comparison factors, potentially enabling unauthorized access to network device management interfaces. The vulnerability is actively exploited in the wild (CISA KEV). Detection focuses on anomalous management-plane access patterns, unexpected SSH/API sessions, and configuration changes on Arista EOS devices.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=network/arista OR _sourceCategory=*eos* OR _sourceName=*arista*
| parse "*" as raw_message nodrop
| where raw_message matches "*login*" or raw_message matches "*authentication*" or raw_message matches "*eapi*" or raw_message matches "*privilege*" or raw_message matches "*unauthorized*" or raw_message matches "*management api*"
| parse regex field=raw_message "(?:user|username|User)=(?P<auth_user>\S+)" nodrop
| parse regex field=raw_message "(?:from|src|source)[= ](?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| timeslice 10m
| stats count as event_count, dcount(auth_user) as unique_users, values(src_ip) as source_ips, last(raw_message) as sample_event by _timeslice, _sourceHost
| where event_count > 5 or unique_users > 2
| sort by event_count descAggregates Arista EOS syslog events in Sumo Logic to identify hosts exhibiting high-frequency authentication activity or access from multiple unique users, consistent with authentication bypass exploitation of CVE-2026-7473.
Data Sources
Required Tables
False Positives & Tuning
- Network automation workflows triggering multiple authentication events across many Arista devices simultaneously
- Help desk or NOC bulk login activities during network audit periods
- Syslog forwarding misconfigurations causing duplicate event ingestion appearing as high event counts
- VPN concentrators or jump hosts with many users accessing Arista devices through a shared source IP
Other platforms for CVE-2026-7473
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Arista EOS eAPI Unauthenticated or Bypass Access Attempt
Expected signal: Arista EOS syslog should generate authentication attempt events for each curl and SSH request, including source IP, timestamp, username, and success/failure status. eAPI HTTP access log (if enabled) should show POST requests to /command-api with HTTP 200 or 401 response codes.
- Test 2Unauthorized Arista EOS Configuration Change via eAPI
Expected signal: Arista EOS syslog should record the configuration change with the username, timestamp, and commands executed. AAA accounting log should capture `configure` mode entry and the `username` command. The `show logging` output on the device should reflect the configuration event.
- Test 3Network Scanning of Arista EOS Management Ports
Expected signal: Network flow records and firewall logs should show TCP SYN packets from the scanning host to ports 22, 443, 8080, and 8443 across multiple destination IPs. Arista EOS devices that received connection attempts should log SSH and HTTPS connection attempts in their management plane logs.
- Test 4Python Netmiko Automation Tool Authentication Probe Against Arista EOS
Expected signal: Arista EOS SSH service will log the connection attempt including source IP, username, and authentication result. If CrowdStrike is deployed on the host running the script, process telemetry will show python3 making outbound TCP connections to port 22 of the target device.
Unlock Pro Content
Get the full detection package for CVE-2026-7473 including response playbook, investigation guide, and atomic red team tests.