Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
160 vulnerabilities by Arista Networks
CVE-2026-25624 (GCVE-0-2026-25624)
Vulnerability from nvd – Published: 2026-06-05 19:34 – Updated: 2026-06-05 20:28
VLAI
EPSS
VEX
Title
Arista Edge Threat Management NGFW UI Administrative Cross-Site Scripting
Summary
An administrative cross-site scripting (XSS) vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processing behavior controls.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-Site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) |
Affected:
0 , ≤ 17.4.0
(custom)
|
Date Public
2026-02-03 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:27:35.700216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:28:03.806Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle)"
],
"product": "Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "17.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA successful attack requires administrative privileges to target UI entry forms and relies on session interaction parsing from a secondary administrator browser window.\u003c/p\u003e"
}
],
"value": "A successful attack requires administrative privileges to target UI entry forms and relies on session interaction parsing from a secondary administrator browser window."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Williams \u0026 Ronan Kervella from Bishop Fox"
}
],
"datePublic": "2026-02-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn administrative cross-site scripting (XSS) vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processing behavior controls.\u003c/p\u003e"
}
],
"value": "An administrative cross-site scripting (XSS) vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processing behavior controls."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-Site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:34:37.618Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23399-security-advisory-0133"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience."
}
],
"source": {
"advisory": "0133",
"defect": [
"NGFW-15492"
],
"discovery": "EXTERNAL"
},
"title": "Arista Edge Threat Management NGFW UI Administrative Cross-Site Scripting",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePer operational best practice security models, do not allow unauthorized administrative access to the administrative browser.\u003c/p\u003e"
}
],
"value": "Per operational best practice security models, do not allow unauthorized administrative access to the administrative browser."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-25624",
"datePublished": "2026-06-05T19:34:37.618Z",
"dateReserved": "2026-02-03T22:23:04.359Z",
"dateUpdated": "2026-06-05T20:28:03.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25623 (GCVE-0-2026-25623)
Vulnerability from nvd – Published: 2026-06-05 19:31 – Updated: 2026-06-05 20:27
VLAI
EPSS
VEX
Title
Arista Edge Threat Management NGFW UI Arbitrary Command Execution
Summary
An input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Authenticated administrators can leverage this exposure to obtain underlying terminal script code processing execution permissions.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) |
Affected:
0 , ≤ 17.4.0
(custom)
|
Date Public
2026-02-03 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:27:12.326159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:27:23.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle)"
],
"product": "Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "17.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA successful attack requires high-privileged authenticated management interface configuration access to the NGFW web platform.\u003c/p\u003e"
}
],
"value": "A successful attack requires high-privileged authenticated management interface configuration access to the NGFW web platform."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Williams \u0026 Ronan Kervella from Bishop Fox"
}
],
"datePublic": "2026-02-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Authenticated administrators can leverage this exposure to obtain underlying terminal script code processing execution permissions.\u003c/p\u003e"
}
],
"value": "An input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Authenticated administrators can leverage this exposure to obtain underlying terminal script code processing execution permissions."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:31:49.749Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23399-security-advisory-0133"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience."
}
],
"source": {
"advisory": "0133",
"defect": [
"NGFW-15490"
],
"discovery": "EXTERNAL"
},
"title": "Arista Edge Threat Management NGFW UI Arbitrary Command Execution",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePer operational best practice security models, do not allow unauthorized administrative access to the administrative browser.\u003c/p\u003e"
}
],
"value": "Per operational best practice security models, do not allow unauthorized administrative access to the administrative browser."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-25623",
"datePublished": "2026-06-05T19:31:49.749Z",
"dateReserved": "2026-02-03T22:23:04.359Z",
"dateUpdated": "2026-06-05T20:27:23.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25622 (GCVE-0-2026-25622)
Vulnerability from nvd – Published: 2026-06-05 19:29 – Updated: 2026-06-05 20:26
VLAI
EPSS
VEX
Title
Arista Edge Threat Management NGFW Captive Portal Custom Handler Command Injection
Summary
A Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an administrative account logged into the user interface can exploit this input handling behavior to execute arbitrary platform shell commands.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) |
Affected:
0 , ≤ 17.4.0
(custom)
|
Date Public
2026-02-03 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:26:51.450858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:26:59.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle)"
],
"product": "Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "17.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA successful attack requires authenticated administrative interface access rights over the targeted NGFW UI deployment endpoint.\u003c/p\u003e"
}
],
"value": "A successful attack requires authenticated administrative interface access rights over the targeted NGFW UI deployment endpoint."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Williams \u0026 Ronan Kervella from Bishop Fox"
}
],
"datePublic": "2026-02-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an administrative account logged into the user interface can exploit this input handling behavior to execute arbitrary platform shell commands.\u003c/p\u003e"
}
],
"value": "A Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an administrative account logged into the user interface can exploit this input handling behavior to execute arbitrary platform shell commands."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:29:57.126Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23399-security-advisory-0133"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience."
}
],
"source": {
"advisory": "0133",
"defect": [
"NGFW-15494"
],
"discovery": "EXTERNAL"
},
"title": "Arista Edge Threat Management NGFW Captive Portal Custom Handler Command Injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePer operational best practice security models, do not allow unauthorized administrative access to the administrative browser.\u003c/p\u003e"
}
],
"value": "Per operational best practice security models, do not allow unauthorized administrative access to the administrative browser."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-25622",
"datePublished": "2026-06-05T19:29:57.126Z",
"dateReserved": "2026-02-03T22:23:04.359Z",
"dateUpdated": "2026-06-05T20:26:59.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25621 (GCVE-0-2026-25621)
Vulnerability from nvd – Published: 2026-06-05 19:28 – Updated: 2026-06-05 20:26
VLAI
EPSS
VEX
Title
Arista Edge Threat Management NGFW Reports Application Insecure Input Validation
Summary
A Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects version 17.4.0; earlier software releases are not exposed.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) |
Affected:
17.4.0
(custom)
|
Date Public
2026-02-03 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:26:29.068961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:26:36.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle)"
],
"product": "Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)",
"vendor": "Arista Networks",
"versions": [
{
"status": "affected",
"version": "17.4.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable, the following cumulative conditions must be satisfied:\u003c/p\u003e\u003col\u003e\u003cli\u003eAn NGFW system running exactly version 17.4.0.\u003c/li\u003e\u003cli\u003eSuccessful administrative interface access authentication privileges verified.\u003c/li\u003e\u003cli\u003eNavigation to the Reports application dashboard under the Data subsystem.\u003c/li\u003e\u003cli\u003eProcessing an upload interaction within the Import/Restore Data Backup Files field utilizing a specially crafted malicious input file.\u003c/li\u003e\u003c/ol\u003e"
}
],
"value": "In order to be vulnerable, the following cumulative conditions must be satisfied:\n\n * An NGFW system running exactly version 17.4.0.\n * Successful administrative interface access authentication privileges verified.\n * Navigation to the Reports application dashboard under the Data subsystem.\n * Processing an upload interaction within the Import/Restore Data Backup Files field utilizing a specially crafted malicious input file."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Williams \u0026 Ronan Kervella from Bishop Fox"
}
],
"datePublic": "2026-02-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects version 17.4.0; earlier software releases are not exposed.\u003c/p\u003e"
}
],
"value": "A Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects version 17.4.0; earlier software releases are not exposed."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:28:13.886Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23399-security-advisory-0133"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience."
}
],
"source": {
"advisory": "0133",
"defect": [
"NGFW-15491"
],
"discovery": "EXTERNAL"
},
"title": "Arista Edge Threat Management NGFW Reports Application Insecure Input Validation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePer operational best practice security models, do not allow unauthorized administrative access to the administrative browser.\u003c/p\u003e"
}
],
"value": "Per operational best practice security models, do not allow unauthorized administrative access to the administrative browser."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-25621",
"datePublished": "2026-06-05T19:28:13.886Z",
"dateReserved": "2026-02-03T22:23:04.359Z",
"dateUpdated": "2026-06-05T20:26:36.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25620 (GCVE-0-2026-25620)
Vulnerability from nvd – Published: 2026-06-05 19:26 – Updated: 2026-06-05 20:23
VLAI
EPSS
VEX
Title
Arista Edge Threat Management NGFW Captive Portal Encrypted Password Command Injection
Summary
An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier software releases are not exposed.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) |
Affected:
17.4.0
(custom)
|
Date Public
2026-02-03 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25620",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:23:23.730510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:23:31.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle)"
],
"product": "Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)",
"vendor": "Arista Networks",
"versions": [
{
"status": "affected",
"version": "17.4.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable, the following cumulative conditions must be satisfied:\u003c/p\u003e\u003col\u003e\u003cli\u003eAn NGFW system running exactly version 17.4.0.\u003c/li\u003e\u003cli\u003eThe system administrator must navigate to the Captive Portal application interface.\u003c/li\u003e\u003cli\u003eThe Captive Portal application must be actively installed and enabled.\u003c/li\u003e\u003cli\u003eCaptive Portal Basic Login validation control must be enabled.\u003c/li\u003e\u003c/ol\u003e"
}
],
"value": "In order to be vulnerable, the following cumulative conditions must be satisfied:\n\n * An NGFW system running exactly version 17.4.0.\n * The system administrator must navigate to the Captive Portal application interface.\n * The Captive Portal application must be actively installed and enabled.\n * Captive Portal Basic Login validation control must be enabled."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Williams \u0026 Ronan Kervella from Bishop Fox"
}
],
"datePublic": "2026-02-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier software releases are not exposed.\u003c/p\u003e"
}
],
"value": "An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier software releases are not exposed."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:26:36.797Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22867-security-advisory-0133"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience."
}
],
"source": {
"advisory": "0133",
"defect": [
"NGFW-15493"
],
"discovery": "EXTERNAL"
},
"title": "Arista Edge Threat Management NGFW Captive Portal Encrypted Password Command Injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf managing an active NGFW 17.4.0 deployment, disable the Captive Portal Basic Login configuration profile parameter.\u003c/p\u003e"
}
],
"value": "If managing an active NGFW 17.4.0 deployment, disable the Captive Portal Basic Login configuration profile parameter."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-25620",
"datePublished": "2026-06-05T19:26:36.797Z",
"dateReserved": "2026-02-03T22:23:04.359Z",
"dateUpdated": "2026-06-05T20:23:31.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2379 (GCVE-0-2026-2379)
Vulnerability from nvd – Published: 2026-06-05 17:59 – Updated: 2026-06-09 14:36
VLAI
EPSS
VEX
Title
Arista EOS IPsec Tunnel Sequence Number Mismatch via Interface Flaps when Anti-Replay is Disabled
Summary
On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-672 - Operation on a Resource after Expiration or Release
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.34.0 , ≤ 4.34.3M
(custom)
Affected: 4.33.0M , ≤ 4.33.5M (custom) Affected: 4.32.0M , ≤ 4.32.7M (custom) Affected: 4.31.0M , ≤ 4.31.9M (custom) Affected: 4.30.0F , < 4.31.0 (custom) Affected: 4.29.0F , < 4.30.0 (custom) Affected: 4.28.0F , < 4.29.0 (custom) Affected: 4.27.1F , < 4.28.0 (custom) |
Date Public
2026-02-17 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:15:34.481934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:36:39.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"7280R3 Series with IPsec (DCS-7280SR3AK",
"DCS-7280SR3AM",
"DCS-7280CR3AK",
"DCS-7280CR3AM",
"DCS-7280CR3MK",
"DCS-7280DR3AK",
"DCS-7280DR3AM",
"DCS-7289R3AK-SC",
"DCS-7289R3AM-SC)",
"7800R3 Series with IPsec (7800R3A-36DM-LC",
"7800R3AK-36DM-LC",
"7800R3A-36PM-LC",
"7800R3AK-36PM-LC",
"7800R3A-36DM2-LC",
"7800R3AK-36DM2-LC)",
"AWE 7000 Series with IPsec (AWE-7250R-16S-F",
"AWE-7230R-4TX-4S-F",
"AWE-7220RP-5TH-2S-F)",
"AWE 5000 Series with IPsec (AWE-5510",
"AWE-5310)",
"CloudEOS VM"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.3M",
"status": "affected",
"version": "4.34.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.5M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.7M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.9M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0F",
"versionType": "custom"
},
{
"lessThan": "4.30.0",
"status": "affected",
"version": "4.29.0F",
"versionType": "custom"
},
{
"lessThan": "4.29.0",
"status": "affected",
"version": "4.28.0F",
"versionType": "custom"
},
{
"lessThan": "4.28.0",
"status": "affected",
"version": "4.27.1F",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2026-2379, the IPsec\u0026nbsp;\u003cb\u003eanti-replay detection\u003c/b\u003e\u0026nbsp;feature must be disabled. The IPsec anti-replay detection feature is enabled by default when IPsec is enabled in Arista EOS.\u003c/p\u003e\u003cp\u003eThe field \u201c\u003cb\u003eReplay window size\u003c/b\u003e\u201d in the output of the command \u201c\u003cb\u003eshow ip sec connection detail\u003c/b\u003e\u201d can be used to verify whether anti-replay is enabled or disabled. A non-zero replay window size indicates that anti-replay detection is enabled.\u003c/p\u003e\u003cpre\u003eswitch#show ip sec connection detail\nTunnel0:\n\u0026nbsp;\u0026nbsp;Source address: 2.0.0.1, Destination address: 2.0.0.2\n\u0026nbsp;\u0026nbsp;State: established\n\u0026nbsp;\u0026nbsp;Uptime: 31 minutes, 49 seconds\n\u0026nbsp;\u0026nbsp;VRF: default\n\u0026nbsp;\u0026nbsp;Inbound SPI: 0xcc09b0d4:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Request ID: 312, Mode: tunnel, \u003cb\u003eReplay window size: 16384\u003c/b\u003e, Seq: 0x0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Errors:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime config:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft byte limit: 3728539143000, Hard byte limit: 6442450944000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft packet limit: 2101671584, Hard packet limit: 4000000000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft time limit: 2657 secs, Hard time limit: 3600 secs\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime current:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current bytes: 461294305\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current packets: 391481\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA add time: Mon Jul\u0026nbsp; 8 00:49:52 2024\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA last use time: Mon Jul\u0026nbsp; 8 01:21:34 2024\n\u0026nbsp;\u0026nbsp;Outbound SPI: 0xc7869a84:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Request ID: 312, Mode: tunnel, Replay window size: 0, Seq: 0x0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Errors:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime config:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft byte limit: 3616989511500, Hard byte limit: 6442450944000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft packet limit: 2653085513, Hard packet limit: 4000000000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft time limit: 2565 secs, Hard time limit: 3600 secs\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime current:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current bytes: 1421924689\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current packets: 1207796\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA add time: Mon Jul\u0026nbsp; 8 00:49:52 2024\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA last use time: Mon Jul\u0026nbsp; 8 01:21:34 2024\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIn the example above, the replay window size is non-zero which indicates that anti-replay detection is enabled.\u003c/p\u003e\u003cp\u003eIf anti-replay detection is enabled, then the vulnerability is not present. The IPsec anti-replay detection feature is disabled with the following configuration:\u003c/p\u003e\u003cpre\u003eswitch(config)# ip security\nswitch(config-ipsec)# sa policy sa1\nswitch(config-ipsec-sa1)# no anti-replay detection\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2026-2379, the IPsec\u00a0anti-replay detection\u00a0feature must be disabled. The IPsec anti-replay detection feature is enabled by default when IPsec is enabled in Arista EOS.\n\n\n\nThe field \u201cReplay window size\u201d in the output of the command \u201cshow ip sec connection detail\u201d can be used to verify whether anti-replay is enabled or disabled. A non-zero replay window size indicates that anti-replay detection is enabled.\n\n\n\nswitch#show ip sec connection detail\nTunnel0:\n\u00a0\u00a0Source address: 2.0.0.1, Destination address: 2.0.0.2\n\u00a0\u00a0State: established\n\u00a0\u00a0Uptime: 31 minutes, 49 seconds\n\u00a0\u00a0VRF: default\n\u00a0\u00a0Inbound SPI: 0xcc09b0d4:\n\u00a0\u00a0\u00a0\u00a0Request ID: 312, Mode: tunnel, Replay window size: 16384, Seq: 0x0\n\u00a0\u00a0\u00a0\u00a0Errors:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u00a0\u00a0\u00a0\u00a0Lifetime config:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft byte limit: 3728539143000, Hard byte limit: 6442450944000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft packet limit: 2101671584, Hard packet limit: 4000000000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft time limit: 2657 secs, Hard time limit: 3600 secs\n\u00a0\u00a0\u00a0\u00a0Lifetime current:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current bytes: 461294305\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current packets: 391481\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA add time: Mon Jul\u00a0 8 00:49:52 2024\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA last use time: Mon Jul\u00a0 8 01:21:34 2024\n\u00a0\u00a0Outbound SPI: 0xc7869a84:\n\u00a0\u00a0\u00a0\u00a0Request ID: 312, Mode: tunnel, Replay window size: 0, Seq: 0x0\n\u00a0\u00a0\u00a0\u00a0Errors:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u00a0\u00a0\u00a0\u00a0Lifetime config:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft byte limit: 3616989511500, Hard byte limit: 6442450944000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft packet limit: 2653085513, Hard packet limit: 4000000000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft time limit: 2565 secs, Hard time limit: 3600 secs\n\u00a0\u00a0\u00a0\u00a0Lifetime current:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current bytes: 1421924689\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current packets: 1207796\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA add time: Mon Jul\u00a0 8 00:49:52 2024\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA last use time: Mon Jul\u00a0 8 01:21:34 2024\n\n\n\u00a0\n\n\n\nIn the example above, the replay window size is non-zero which indicates that anti-replay detection is enabled.\n\n\n\nIf anti-replay detection is enabled, then the vulnerability is not present. The IPsec anti-replay detection feature is disabled with the following configuration:\n\n\n\nswitch(config)# ip security\nswitch(config-ipsec)# sa policy sa1\nswitch(config-ipsec-sa1)# no anti-replay detection"
}
],
"datePublic": "2026-02-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication.\u003c/p\u003e"
}
],
"value": "On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication."
}
],
"impacts": [
{
"capecId": "CAPEC-60",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-60 Reusing Session Tokens"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672: Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:59:40.999Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23419-security-advisory-0134"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003c/p\u003e\u003cp\u003eFor more information about upgrading see: \u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCVE-2026-2379 has been fixed in the following releases:\u003c/p\u003e\u003cul\u003e\u003cli\u003e4.35.0F and later releases in the 4.35.x train\u003c/li\u003e\u003cli\u003e4.34.4M and later releases in the 4.34.x train\u003c/li\u003e\u003cli\u003e4.33.6M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.8M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.10M and later releases in the 4.31.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\n\n\n\nFor more information about upgrading see: EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\n\n\nCVE-2026-2379 has been fixed in the following releases:\n\n * 4.35.0F and later releases in the 4.35.x train\n * 4.34.4M and later releases in the 4.34.x train\n * 4.33.6M and later releases in the 4.33.x train\n * 4.32.8M and later releases in the 4.32.x train\n * 4.31.10M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "0134",
"defect": [
"BUG 1188976"
],
"discovery": "INTERNAL"
},
"title": "Arista EOS IPsec Tunnel Sequence Number Mismatch via Interface Flaps when Anti-Replay is Disabled",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is no known mitigation for CVE-2026-2379. The recommended resolution is to upgrade to a remediated software version at your earliest convenience.\u003c/p\u003e"
}
],
"value": "There is no known mitigation for CVE-2026-2379. The recommended resolution is to upgrade to a remediated software version at your earliest convenience."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-2379",
"datePublished": "2026-06-05T17:59:40.999Z",
"dateReserved": "2026-02-11T21:25:16.721Z",
"dateUpdated": "2026-06-09T14:36:39.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7473 (GCVE-0-2026-7473)
Vulnerability from nvd – Published: 2026-06-05 16:22 – Updated: 2026-06-10 03:57Title
Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass
Summary
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.
This issue has been reported as being exploited in the wild.
Severity
5.8 (Medium)
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1023 - Incomplete Comparison with Missing Factors
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.36.0
(custom)
Affected: 4.35.0 , ≤ 4.35 (custom) Affected: 4.34.0 , ≤ 4.34 (custom) Affected: 4.33.0 , ≤ 4.33 (custom) Affected: 4.32.0 , ≤ 4.32 (custom) Affected: 4.31.0 , ≤ 4.31 (custom) Affected: * , ≤ 4.30 (custom) |
Date Public
2026-05-05 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7473",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-06-09",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:57:41.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-09T00:00:00.000Z",
"value": "CVE-2026-7473 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"7020R Series",
"7280R/R2 Series",
"7500R/R2 Series",
"7280R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)",
"7500R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)",
"7800R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"status": "affected",
"version": "4.36.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.35",
"status": "affected",
"version": "4.35.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.34",
"status": "affected",
"version": "4.34.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33",
"status": "affected",
"version": "4.33.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32",
"status": "affected",
"version": "4.32.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2026-7473, the following condition must be met:\u003c/p\u003e\u003cp\u003eThe device must be configured as a tunnel endpoint with a decapsulation IP \u2014 for example, as a VXLAN VTEP, a GRE tunnel endpoint, or with an ip decap-group.\u003c/p\u003e\u003cp\u003eA device configured to decapsulate one tunnel type will also incorrectly accept and decapsulate other tunnel protocols destined to the same IP address, even if those protocols were not explicitly configured. The following table summarizes which additional tunnel types a device will decapsulate based on its configured decapsulation type (note that some cases require extra protocol specific configurations for traffic to be decapsulated). Note that in all cases the inner header could be IPv4 or IPv6.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eNote on Platforms:\u003c/b\u003e\u003c/div\u003e\u003cul\u003e\u003cli\u003eAll scenarios below apply to 7020R Series, 7280R/R2 Series, and 7500R/R2 Series.\u003c/li\u003e\u003cli\u003eOnly the IP-in-IPv6 and GUE IPV6 Decap Group scenarios apply to 7280R3 Series, 7500R3 Series, and 7800R3 Series.\u003c/li\u003e\u003c/ul\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003cth\u003eConfigured decapsulation tunnel type\u003c/th\u003e\u003cth\u003eUnexpected decapsulation of tunnel type traffic to configured decap IP\u003c/th\u003e\u003cth\u003eAdditional configurations required for exploitation\u003c/th\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"2\"\u003eVXLAN IPv4 Tunnel Interface\u003c/td\u003e\u003ctd\u003eGRE, IPoIP\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNVGRE\u003c/td\u003e\u003ctd\u003eTNI in NVGRE packet must match a VXLAN VNI configured on switch\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"3\"\u003eGRE IPv4 Tunnel Interface\u003c/td\u003e\u003ctd\u003eVXLAN\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) and VNI mapping must be configured\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGeneric UDP Encapsulation (GUE)\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured. Both source and destination IP must match GRE tunnel configuration.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIPoIP\u003c/td\u003e\u003ctd\u003eBoth source and destination IP must match GRE tunnel configuration.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"4\"\u003eGRE IPv4 Decap Group\u003c/td\u003e\u003ctd\u003eIPoIP\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVXLAN\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) and VNI mapping must be configured\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNVGRE\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VXLAN VNI configured on switch.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE IPv4 Decap Group\u003c/td\u003e\u003ctd\u003eGRE, IPoIP\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"4\"\u003eIP-in-IPv4 Decap Group\u003c/td\u003e\u003ctd\u003eGRE\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNVGRE\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VNI configured on switch.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVXLAN\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) and VNI mapping must be configured\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"2\"\u003eIP-in-IPv6 Decap Group\u003c/td\u003e\u003ctd\u003eGREv6\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUEv6\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE IPv6 Decap Group\u003c/td\u003e\u003ctd\u003eIP-in-IPv6, GREv6\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "In order to be vulnerable to CVE-2026-7473, the following condition must be met:\n\n\n\nThe device must be configured as a tunnel endpoint with a decapsulation IP \u2014 for example, as a VXLAN VTEP, a GRE tunnel endpoint, or with an ip decap-group.\n\n\n\nA device configured to decapsulate one tunnel type will also incorrectly accept and decapsulate other tunnel protocols destined to the same IP address, even if those protocols were not explicitly configured. The following table summarizes which additional tunnel types a device will decapsulate based on its configured decapsulation type (note that some cases require extra protocol specific configurations for traffic to be decapsulated). Note that in all cases the inner header could be IPv4 or IPv6.\n\nNote on Platforms:\n\n * All scenarios below apply to 7020R Series, 7280R/R2 Series, and 7500R/R2 Series.\n * Only the IP-in-IPv6 and GUE IPV6 Decap Group scenarios apply to 7280R3 Series, 7500R3 Series, and 7800R3 Series.\n\n\nConfigured decapsulation tunnel typeUnexpected decapsulation of tunnel type traffic to configured decap IPAdditional configurations required for exploitationVXLAN IPv4 Tunnel InterfaceGRE, IPoIPNoneNVGRETNI in NVGRE packet must match a VXLAN VNI configured on switchGRE IPv4 Tunnel InterfaceVXLANVXLAN Tunnel Interface (VTI) and VNI mapping must be configuredGeneric UDP Encapsulation (GUE)GUE Decap Group and relevant UDP destination port to payload mapping must be configured. Both source and destination IP must match GRE tunnel configuration.IPoIPBoth source and destination IP must match GRE tunnel configuration.GRE IPv4 Decap GroupIPoIPNoneVXLANVXLAN Tunnel Interface (VTI) and VNI mapping must be configuredGUEGUE Decap Group and relevant UDP destination port to payload mapping must be configured.NVGREVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VXLAN VNI configured on switch.GUE IPv4 Decap GroupGRE, IPoIPNoneIP-in-IPv4 Decap GroupGRENoneNVGREVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VNI configured on switch.VXLANVXLAN Tunnel Interface (VTI) and VNI mapping must be configuredGUEGUE Decap Group and relevant UDP destination port to payload mapping must be configured.IP-in-IPv6 Decap GroupGREv6NoneGUEv6GUE Decap Group and relevant UDP destination port to payload mapping must be configured.GUE IPv6 Decap GroupIP-in-IPv6, GREv6None"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo check if the device is acting as a VXLAN VTEP:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show interfaces vxlan 1\n\u0026nbsp;Vxlan1 is up, line protocol is up (connected)\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Source interface is Loopback1 and is active with 10.0.0.1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Listening on UDP port 4789\n\u0026nbsp;\u0026nbsp;\u0026nbsp;...\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf the output contains \u201c\u003cb\u003eSource interface is \u0026lt;interface\u0026gt; and is active with \u0026lt;IP\u0026gt;\u003c/b\u003e\u201d, the device is acting as a VXLAN VTEP with \u0026lt;IP\u0026gt; as the tunnel termination address, and is potentially impacted.\u003c/p\u003e\u003cp\u003eTo check if a GRE tunnel interface is configured:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show interfaces Tunnel0\n\u0026nbsp;Tunnel0 is up, line protocol is up\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Hardware is Tunnel\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Tunnel source 1.1.1.1, destination 1.1.1.2\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Tunnel protocol/transport GRE/IP\n\u0026nbsp;\u0026nbsp;\u0026nbsp;...\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf the tunnel interface is up with a source and destination, the device is a GRE tunnel endpoint and is potentially impacted.\u003c/p\u003e\u003cp\u003eTo check if decap-groups are configured:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show ip decap-group\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf none of the above outputs show the presence of any tunnel endpoint configurations, the device does not perform tunnel decapsulation and is not exposed to this issue.\u003c/p\u003e"
}
],
"value": "To check if the device is acting as a VXLAN VTEP:\n\n\n\nswitch\u003eshow interfaces vxlan 1\n\u00a0Vxlan1 is up, line protocol is up (connected)\n\u00a0\u00a0\u00a0Source interface is Loopback1 and is active with 10.0.0.1\n\u00a0\u00a0\u00a0Listening on UDP port 4789\n\u00a0\u00a0\u00a0...\n\n\n\u00a0\n\n\n\nIf the output contains \u201cSource interface is \u003cinterface\u003e and is active with \u003cIP\u003e\u201d, the device is acting as a VXLAN VTEP with \u003cIP\u003e as the tunnel termination address, and is potentially impacted.\n\n\n\nTo check if a GRE tunnel interface is configured:\n\n\n\nswitch\u003eshow interfaces Tunnel0\n\u00a0Tunnel0 is up, line protocol is up\n\u00a0\u00a0\u00a0Hardware is Tunnel\n\u00a0\u00a0\u00a0Tunnel source 1.1.1.1, destination 1.1.1.2\n\u00a0\u00a0\u00a0Tunnel protocol/transport GRE/IP\n\u00a0\u00a0\u00a0...\n\n\n\u00a0\n\n\n\nIf the tunnel interface is up with a source and destination, the device is a GRE tunnel endpoint and is potentially impacted.\n\n\n\nTo check if decap-groups are configured:\n\n\n\nswitch\u003eshow ip decap-group\n\n\n\u00a0\n\n\n\nIf none of the above outputs show the presence of any tunnel endpoint configurations, the device does not perform tunnel decapsulation and is not exposed to this issue."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis at Comcast"
}
],
"datePublic": "2026-05-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn affected platforms running Arista EOS where a tunnel decapsulation configuration\u2014such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface\u2014is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.\u003c/p\u003e\u003cp\u003eThis issue has been reported as being exploited in the wild.\u003c/p\u003e"
}
],
"value": "On affected platforms running Arista EOS where a tunnel decapsulation configuration\u2014such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface\u2014is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.\n\n\n\nThis issue has been reported as being exploited in the wild."
}
],
"impacts": [
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1023",
"description": "CWE-1023: Incomplete Comparison with Missing Factors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T16:22:47.989Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNo software upgrade path is planned to address this issue due to the risk of breaking existing configuration on deployments. The recommended resolution of this issue is to follow the appropriate mitigation instructions detailed in the workaround block.\u003c/p\u003e"
}
],
"value": "No software upgrade path is planned to address this issue due to the risk of breaking existing configuration on deployments. The recommended resolution of this issue is to follow the appropriate mitigation instructions detailed in the workaround block."
}
],
"source": {
"advisory": "0137",
"defect": [
"BUG1086442",
"BUG1519884"
],
"discovery": "EXTERNAL"
},
"title": "Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere are two broad approaches to mitigate this issue - (1) applying ACLs on upstream devices or (2) applying ACLs on the devices where the unexpected decapsulation is happening. In both cases, the idea is to either selectively allow only legitimate tunnel traffic or to selectively block malicious tunnel traffic. For example, if a network is configured to forward VXLAN traffic, but GRE traffic is being unexpectedly forwarded, then ACLs can be used to either selectively allow just VXLAN traffic or selectively block GRE traffic. More details about using the ACL feature can be found in the\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1150869\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eArista User Manual\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eA note of caution, the following ACL-based mitigation recommendations assume that the tunnel IP is dedicated solely to receiving the configured tunnel protocol traffic. When adapting these rules for your environment, it is important to explicitly permit any additional protocol traffic\u2014such as BGP or SSH\u2014if that IP serves multiple functions. To maintain connectivity, ensure these permit statements are sequenced before any deny statements directed at the decapsulation IP.\u003c/p\u003e\u003cp\u003eThe following configurations align with the recommendations outlined in the\u0026nbsp;\u003ca href=\"https://arista.my.site.com/AristaCommunity/s/article/arista-eos-hardening-guide#Comm_Kna_ka0Uw00000097VJIAY_71\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eArista EOS Hardening Guide\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "There are two broad approaches to mitigate this issue - (1) applying ACLs on upstream devices or (2) applying ACLs on the devices where the unexpected decapsulation is happening. In both cases, the idea is to either selectively allow only legitimate tunnel traffic or to selectively block malicious tunnel traffic. For example, if a network is configured to forward VXLAN traffic, but GRE traffic is being unexpectedly forwarded, then ACLs can be used to either selectively allow just VXLAN traffic or selectively block GRE traffic. More details about using the ACL feature can be found in the\u00a0 Arista User Manual https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1150869 .\n\n\n\nA note of caution, the following ACL-based mitigation recommendations assume that the tunnel IP is dedicated solely to receiving the configured tunnel protocol traffic. When adapting these rules for your environment, it is important to explicitly permit any additional protocol traffic\u2014such as BGP or SSH\u2014if that IP serves multiple functions. To maintain connectivity, ensure these permit statements are sequenced before any deny statements directed at the decapsulation IP.\n\n\n\nThe following configurations align with the recommendations outlined in the\u00a0 Arista EOS Hardening Guide https://arista.my.site.com/AristaCommunity/s/article/arista-eos-hardening-guide#Comm_Kna_ka0Uw00000097VJIAY_71 ."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eApproach 1 - Applying ACL on Upstream Switches\u003c/h3\u003e\u003cp\u003eOn upstream devices, applying ACLs to allow specific tunneled traffic is straightforward. ACLs can be applied that match on tunnel destination IP, the IP next protocol field, and (optionally) UDP destination port to selectively allow or block specific tunnel protocols.\u003c/p\u003e\u003cp\u003eExample ACLs for Arista EOS follows.\u003c/p\u003eACL to permit VXLANv4 Only\u003cp\u003eThis IPv4 ACL matches on VXLAN packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (17)\u003cbr\u003e(b) IP DIP = VXLAN VTEP IP\u003cbr\u003e(c) UDP destination port = VXLAN UDP Port (4789)\u003c/p\u003e\u003cp\u003eIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;vxlan-decap-ip\u0026gt; eq 4789\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny ip any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit ip any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GREv4 Only\u003cp\u003eThis IPv4 ACL matches on GRE packets as follows:\u003cbr\u003e(a) IP next protocol = GRE (47)\u003cbr\u003e(b) IP DIP = GRE Tunnel Destination IP\u003c/p\u003e\u003cp\u003eIt allows GRE packets and drops all other packets to the GRE Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit gre any host \u0026lt;gre-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny ip any host \u0026lt;gre-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit IP-in-IPv4 Only\u003cp\u003eThis IPv4 ACL matches on IP-in-IPv4 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP\u003c/p\u003e\u003cp\u003eIt allows IP-in-IPv4 packets and drops all other packets to the IP-in-IPv4 Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit 4 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit 41 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ip any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to Permit IP-in-IPv6 Only\u003cp\u003eThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP\u003c/p\u003e\u003cp\u003eIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit 4 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit 41 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GUEv4 Only\u003cp\u003eThis IPv4 ACL matches on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (17)\u003cbr\u003e(b) IP DIP = GUE Decap IP\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; \u0026nbsp;\u0026nbsp;\u0026nbsp;(IP = Y or MPLS = Z)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;decap-ip\u0026gt; eq Y\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit udp any host \u0026lt;decap-ip\u0026gt; eq Z\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ip any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ip any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to Permit GUEv6 Only\u003cp\u003eThis IPv6 ACL matches on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (17)\u003cbr\u003e(b) IP DIP = GUE Decap IP\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; (IP = Y or MPLS = Z)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;decap-ip\u0026gt; eq Y\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit udp any host \u0026lt;decap-ip\u0026gt; eq Z\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\u003c/pre\u003e"
}
],
"value": "Approach 1 - Applying ACL on Upstream Switches\n\nOn upstream devices, applying ACLs to allow specific tunneled traffic is straightforward. ACLs can be applied that match on tunnel destination IP, the IP next protocol field, and (optionally) UDP destination port to selectively allow or block specific tunnel protocols.\n\n\n\nExample ACLs for Arista EOS follows.\n\nACL to permit VXLANv4 Only\n\nThis IPv4 ACL matches on VXLAN packets as follows:\n(a) IP next protocol = UDP (17)\n(b) IP DIP = VXLAN VTEP IP\n(c) UDP destination port = VXLAN UDP Port (4789)\n\n\n\nIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cvxlan-decap-ip\u003e eq 4789\n\u00a0\u00a0\u00a02 deny ip any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a03 permit ip any any\n\n\n\u00a0\n\nACL to permit GREv4 Only\n\nThis IPv4 ACL matches on GRE packets as follows:\n(a) IP next protocol = GRE (47)\n(b) IP DIP = GRE Tunnel Destination IP\n\n\n\nIt allows GRE packets and drops all other packets to the GRE Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit gre any host \u003cgre-decap-ip\u003e\n\u00a0\u00a0\u00a02 deny ip any host \u003cgre-decap-ip\u003e\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nACL to permit IP-in-IPv4 Only\n\nThis IPv4 ACL matches on IP-in-IPv4 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IP DIP = IP-in-IP Decap IP\n\n\n\nIt allows IP-in-IPv4 packets and drops all other packets to the IP-in-IPv4 Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit 4 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a02 permit 41 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a03 deny ip any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\nACL to Permit IP-in-IPv6 Only\n\nThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IP DIP = IP-in-IP Decap IP\n\n\n\nIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit 4 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a02 permit 41 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any\n\n\n\u00a0\n\nACL to permit GUEv4 Only\n\nThis IPv4 ACL matches on GUE packets as follows:\n(a) IP next protocol = UDP (17)\n(b) IP DIP = GUE Decap IP\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0(IP = Y or MPLS = Z)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cdecap-ip\u003e eq Y\n\u00a0\u00a0\u00a02 permit udp any host \u003cdecap-ip\u003e eq Z\n\u00a0\u00a0\u00a03 deny ip any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ip any any\n\n\n\u00a0\n\nACL to Permit GUEv6 Only\n\nThis IPv6 ACL matches on GUE packets as follows:\n(a) IP next protocol = UDP (17)\n(b) IP DIP = GUE Decap IP\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (IP = Y or MPLS = Z)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cdecap-ip\u003e eq Y\n\u00a0\u00a0\u00a02 permit udp any host \u003cdecap-ip\u003e eq Z\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eApproach 2 - Applying ACL on Decapsulation Switches\u003c/h3\u003e\u003cp\u003eApplying ACLs on the decapsulation device is more complicated. It requires the use of MAC ACLs on 7020R Series, 7280R/R2 Series, and 7500R/R2 Series systems and IP ACLs on 7280R3 Series, 7500R3 Series, and 7800R3 Series systems. In both cases, a TCAM profile update is also required. Note that TCAM profile update is a disruptive operation that could impact traffic forwarding. More information can be found in\u0026nbsp;\u003ca href=\"https://www.arista.com/en/support/toi/eos-4-26-0f/14755-user-defined-tcam-profiles\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eUser-defined TCAM Profiles\u003c/a\u003e.\u003c/p\u003e7020R Series, 7280R/R2 Series, and 7500R/R2 Series\u003cp\u003eMitigation involves using MAC ACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. The suggested MAC ACLs use User Defined Fields (UDFs) to match on specific fields in the packet headers. This requires a TCAM profile update to include the following UDF qualifiers:\u003c/p\u003e\u003col\u003e\u003cli\u003eFor IPv4 tunnels, 2 16b and 1 32b UDF qualifiers need to be included.\u003c/li\u003e\u003cli\u003eFor IPv6 tunnels, 2 16b and 4 32b UDF qualifiers need to be included.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eHowever, in order to make room for the UDF qualifiers, other TCAM features/qualifiers must be removed due to hardware constraints. Following are some suggested TCAM profile changes to accommodate the required UDF qualifiers:\u003c/p\u003e\u003col\u003e\u003cli\u003eTCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for MPLS:\u003cbr\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test copy default\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key size limit\u0026nbsp;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;key field udf-16b-1 udf-16b-2 udf-32b-1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature mpls pop ingress\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature pbr mpls\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eTCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for VXLAN:\u003cbr\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test copy default\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key field src-mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;key field udf-16b-1 udf-16b-2 udf-32b-1\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eTCAM profile that includes the UDF qualifiers for IPv6 tunnels, but removes support for VXLAN and PBR:\u003cbr\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test1 copy default\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key size limit\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key field src-mac dst-mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;key field udf-16b-1 udf-16b-2 udf-32b-1 udf-32b-2 udf-32b-3 udf-32b-4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature tunnel vxlan\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature tunnel vxlan routing\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature pbr ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature pbr ipv6\n\u003c/pre\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003ePlease contact Arista TAC if further assistance is needed with TCAM profile construction.\u003c/p\u003e"
}
],
"value": "Approach 2 - Applying ACL on Decapsulation Switches\n\nApplying ACLs on the decapsulation device is more complicated. It requires the use of MAC ACLs on 7020R Series, 7280R/R2 Series, and 7500R/R2 Series systems and IP ACLs on 7280R3 Series, 7500R3 Series, and 7800R3 Series systems. In both cases, a TCAM profile update is also required. Note that TCAM profile update is a disruptive operation that could impact traffic forwarding. More information can be found in\u00a0 User-defined TCAM Profiles https://www.arista.com/en/support/toi/eos-4-26-0f/14755-user-defined-tcam-profiles .\n\n7020R Series, 7280R/R2 Series, and 7500R/R2 Series\n\nMitigation involves using MAC ACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. The suggested MAC ACLs use User Defined Fields (UDFs) to match on specific fields in the packet headers. This requires a TCAM profile update to include the following UDF qualifiers:\n\n * For IPv4 tunnels, 2 16b and 1 32b UDF qualifiers need to be included.\n * For IPv6 tunnels, 2 16b and 4 32b UDF qualifiers need to be included.\n\n\nHowever, in order to make room for the UDF qualifiers, other TCAM features/qualifiers must be removed due to hardware constraints. Following are some suggested TCAM profile changes to accommodate the required UDF qualifiers:\n\n * TCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for MPLS:\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test copy default\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key size limit\u00a0\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0key field udf-16b-1 udf-16b-2 udf-32b-1\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature mpls\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature mpls pop ingress\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature pbr mpls\n\n\n\u00a0\n\n\u00a0\n * TCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for VXLAN:\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test copy default\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key field src-mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0key field udf-16b-1 udf-16b-2 udf-32b-1\n\n\n\u00a0\n\n\u00a0\u00a0\n * TCAM profile that includes the UDF qualifiers for IPv6 tunnels, but removes support for VXLAN and PBR:\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test1 copy default\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key size limit\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key field src-mac dst-mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0key field udf-16b-1 udf-16b-2 udf-32b-1 udf-32b-2 udf-32b-3 udf-32b-4\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature tunnel vxlan\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature tunnel vxlan routing\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature pbr ip\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature pbr ipv6\n\n\n\n\u00a0\n\n\n\nPlease contact Arista TAC if further assistance is needed with TCAM profile construction."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ACL to permit VXLAN v4 Decap only\u003cp\u003eThis MAC ACL uses UDF to match on VXLAN packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IP DIP = VXLAN VTEP IP (say 0xXXXXXXXX - converted in hex)\u003cbr\u003e(c) UDP destination port = VXLAN UDP Port (0x12b5)\u003c/p\u003e\u003cp\u003eIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\nmac access-list payload alias udp-dport-vxlan offset 5 pattern 0x000012b5 mask 0xffff0000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-vxlan\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GREv4 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on GRE packets as follows:\u003cbr\u003e(a) IP next protocol = GRE (0x2f)\u003cbr\u003e(b) IP DIP = GRE Decap IP (say 0xXXXXXXXX - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows GRE packets and drops all other packets to the GRE Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-gre offset 2 pattern 0x002f0000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf needed, the ACL can also be tweaked to match on specific GRE payloads as follows:\u003c/p\u003e\u003ci\u003eIPv4oGRE\u003c/i\u003e\u003cp\u003eACL also matches on GRE next protocol = IPv4 (0x0800)\u003c/p\u003e\u003cpre\u003emac access-list payload alias gre-protocol-ipv4 offset 5 pattern 0x00000800 mask 0xffff0000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003ci\u003eIPv6oGRE\u003c/i\u003e\u003cp\u003eACL also matches on GRE next protocol = IPv6 (0x86dd)\u003c/p\u003e\u003cpre\u003emac access-list payload alias gre-protocol-ipv6 offset 5 pattern 0x000086dd mask 0xffff0000\nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv6\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003ci\u003eMPLSoGRE\u003c/i\u003e\u003cp\u003eACL also matches on GRE next protocol = MPLS (0x8847)\u003c/p\u003e\u003cpre\u003emac access-list payload alias gre-protocol-mpls offset 5 pattern 0x00008847 mask 0xffff0000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\u003c/pre\u003e"
}
],
"value": "ACL to permit VXLAN v4 Decap only\n\nThis MAC ACL uses UDF to match on VXLAN packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IP DIP = VXLAN VTEP IP (say 0xXXXXXXXX - converted in hex)\n(c) UDP destination port = VXLAN UDP Port (0x12b5)\n\n\n\nIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n\u00a0\u00a0\u00a0\u00a0\nmac access-list payload alias udp-dport-vxlan offset 5 pattern 0x000012b5 mask 0xffff0000\n\u00a0\u00a0\u00a0\u00a0\nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-vxlan\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nACL to permit GREv4 Decap Only\n\nThis MAC ACL uses UDF to match on GRE packets as follows:\n(a) IP next protocol = GRE (0x2f)\n(b) IP DIP = GRE Decap IP (say 0xXXXXXXXX - converted in hex)\n\n\n\nIt allows GRE packets and drops all other packets to the GRE Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-gre offset 2 pattern 0x002f0000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\n\n\nIf needed, the ACL can also be tweaked to match on specific GRE payloads as follows:\n\nIPv4oGRE\n\nACL also matches on GRE next protocol = IPv4 (0x0800)\n\n\n\nmac access-list payload alias gre-protocol-ipv4 offset 5 pattern 0x00000800 mask 0xffff0000\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv4\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nIPv6oGRE\n\nACL also matches on GRE next protocol = IPv6 (0x86dd)\n\n\n\nmac access-list payload alias gre-protocol-ipv6 offset 5 pattern 0x000086dd mask 0xffff0000\nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv6\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nMPLSoGRE\n\nACL also matches on GRE next protocol = MPLS (0x8847)\n\n\n\nmac access-list payload alias gre-protocol-mpls offset 5 pattern 0x00008847 mask 0xffff0000\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-mpls\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ACL to permit IP-in-IPv4 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on IP-in-IP packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (0x04) or IPv6 (0x29)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP (say 0xXXXXXXXX - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-ipv4 offset 2 pattern 0x00040000 mask 0xff00ffff\n \nmac access-list payload alias ip-next-protocol-ipv6 offset 2 pattern 0x00290000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-ipv4 alias ip-dip-decap-ip\u0026nbsp;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ip payload alias ip-next-protocol-ipv6 alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GUEv4 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IP DIP = GUE Decap IP (say 0xXXXXXXXX - converted in hex)\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;(say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list payload alias udp-dport-gue-ip offset 5 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 5 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GUEv6 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IPv6 DIP = GUE Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; (say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ipv6-next-protocol-udp offset 1 pattern 0x00001100 mask 0xffff00ff\n \nmac access-list payload alias udp-dport-gue-ip offset 10 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 10 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\u003c/pre\u003e"
}
],
"value": "ACL to permit IP-in-IPv4 Decap Only\n\nThis MAC ACL uses UDF to match on IP-in-IP packets as follows:\n(a) IP next protocol = IPv4 (0x04) or IPv6 (0x29)\n(b) IP DIP = IP-in-IP Decap IP (say 0xXXXXXXXX - converted in hex)\n\n\n\nIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-ipv4 offset 2 pattern 0x00040000 mask 0xff00ffff\n \nmac access-list payload alias ip-next-protocol-ipv6 offset 2 pattern 0x00290000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-ipv4 alias ip-dip-decap-ip\u00a0\n\u00a0\u00a0\u00a02 permit any any ip payload alias ip-next-protocol-ipv6 alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\nACL to permit GUEv4 Decap Only\n\nThis MAC ACL uses UDF to match on GUE packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IP DIP = GUE Decap IP (say 0xXXXXXXXX - converted in hex)\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0(say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list payload alias udp-dport-gue-ip offset 5 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 5 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list foo\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-mpls\n\u00a0\u00a0\u00a02 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-ip\n\u00a0\u00a0\u00a03 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\nACL to permit GUEv6 Decap Only\n\nThis MAC ACL uses UDF to match on GUE packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IPv6 DIP = GUE Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0 (say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nmac access-list payload alias ipv6-next-protocol-udp offset 1 pattern 0x00001100 mask 0xffff00ff\n \nmac access-list payload alias udp-dport-gue-ip offset 10 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 10 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-ip\n\u00a0\u00a0\u00a02 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-mpls\n\u00a0\u00a0\u00a03 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a04 permit any any"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ACL to permit IP-in-IPv6 Decap Only\u003cp\u003eThe MAC ACL uses UDF to match on IP-in-IPv6 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IPv6 DIP = IP-in-IP Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ipv6-next-protocol-ipv4 offset 1 pattern 0x00000400 mask 0xffff00ff\n \nmac access-list payload alias ipv6-next-protocol-ipv6 offset 1 pattern 0x00002900 mask 0xffff00ff\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ipv6 payload alias ipv6-next-protocol-ipv4 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ipv6 payload alias ipv6-next-protocol-ipv6 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003ch3\u003e7280R3 Series, 7500R3 Series, and 7800R3 Series\u003c/h3\u003e\u003cp\u003eMitigation involves using IPv6 PACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. This requires the following TCAM profile update with the specified packet types:\u003c/p\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port ipv6\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 ipv4 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 ipv6 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 gue ipv4 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 gue ipv6 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 gue mpls forwarding mpls decap\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eNote that introducing new packet types might also require specifying them under other features such as \u201cacl vlan\u201d or \u201cqos ipv6\u201d. Please reach out, if further assistance is needed with TCAM profile construction.\u003c/p\u003eACL to Permit GUEv6 Only\u003cp\u003eThis IPv6 ACL matches on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IP DIP = GUE Decap IP\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; (IP = Y or MPLS = Z)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;decap-ip\u0026gt; eq Y\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit udp any host \u0026lt;decap-ip\u0026gt; eq Z\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to Permit IP-in-IPv6 Only\u003cp\u003eThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP\u003c/p\u003e\u003cp\u003eIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit 4 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit 41 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\u003c/pre\u003e"
}
],
"value": "ACL to permit IP-in-IPv6 Decap Only\n\nThe MAC ACL uses UDF to match on IP-in-IPv6 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IPv6 DIP = IP-in-IP Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\n\n\n\nIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\n\n\n\nmac access-list payload alias ipv6-next-protocol-ipv4 offset 1 pattern 0x00000400 mask 0xffff00ff\n \nmac access-list payload alias ipv6-next-protocol-ipv6 offset 1 pattern 0x00002900 mask 0xffff00ff\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ipv6 payload alias ipv6-next-protocol-ipv4 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a02 permit any any ipv6 payload alias ipv6-next-protocol-ipv6 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a03 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\n7280R3 Series, 7500R3 Series, and 7800R3 Series\n\nMitigation involves using IPv6 PACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. This requires the following TCAM profile update with the specified packet types:\n\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port ipv6\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 ipv4 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 ipv6 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 gue ipv4 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 gue ipv6 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 gue mpls forwarding mpls decap\n\n\n\u00a0\n\n\n\nNote that introducing new packet types might also require specifying them under other features such as \u201cacl vlan\u201d or \u201cqos ipv6\u201d. Please reach out, if further assistance is needed with TCAM profile construction.\n\nACL to Permit GUEv6 Only\n\nThis IPv6 ACL matches on GUE packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IP DIP = GUE Decap IP\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0 (IP = Y or MPLS = Z)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cdecap-ip\u003e eq Y\n\u00a0\u00a0\u00a02 permit udp any host \u003cdecap-ip\u003e eq Z\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any\n\n\n\u00a0\n\nACL to Permit IP-in-IPv6 Only\n\nThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IP DIP = IP-in-IP Decap IP\n\n\n\nIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit 4 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a02 permit 41 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-7473",
"datePublished": "2026-06-05T16:22:47.989Z",
"dateReserved": "2026-04-29T20:08:22.118Z",
"dateUpdated": "2026-06-10T03:57:41.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5090 (GCVE-0-2025-5090)
Vulnerability from nvd – Published: 2026-06-05 15:49 – Updated: 2026-06-09 14:37
VLAI
EPSS
VEX
Title
Arista CloudVision Exchange Cluster Instability via Unexpected Switch Messages
Summary
CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0 , < 4.32.0 (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-11-18 16:46
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:08:56.120293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:37:26.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThan": "4.32.0",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5090, the following condition must be met: CVX must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5090, the following condition must be met: CVX must be configured:\n\n\n\n\ncvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown"
}
],
"datePublic": "2025-11-18T16:46:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.\u003c/p\u003e"
}
],
"value": "CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:49:27.770Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5090 has been fixed in the following releases:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\n \u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\n \u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5090 has been fixed in the following releases:\n\n\n\n * 4.34.2F and later releases in the 4.34.x train\n\n * 4.33.5M and later releases in the 4.33.x train\n\n * 4.32.7M and later releases in the 4.32.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1139764"
],
"discovery": "INTERNAL"
},
"title": "Arista CloudVision Exchange Cluster Instability via Unexpected Switch Messages",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is no mitigation for this issue.\u003c/p\u003e"
}
],
"value": "There is no mitigation for this issue."
}
],
"x_capecAlignment": {
"capecId": "CAPEC-125",
"capecName": "Flooding / Malformed Packet",
"justification": "An attacker with high privilege access over a downstream switch can emit unexpected or malformed TCP packets causing state management code on CVX (ControllerOob/Controllerdb) to throw unhandled faults, leading to ongoing client deregistration cycles and cluster instability."
},
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5090",
"datePublished": "2026-06-05T15:49:27.770Z",
"dateReserved": "2025-05-22T16:26:48.444Z",
"dateUpdated": "2026-06-09T14:37:26.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5089 (GCVE-0-2025-5089)
Vulnerability from nvd – Published: 2026-06-05 15:44 – Updated: 2026-06-09 15:14
VLAI
EPSS
VEX
Title
Arista EOS SysDB Agent Denial of Service via Malformed CVX Client/Server Messages
Summary
In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0M , ≤ 4.31.8M (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-12-18 16:40
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:47:55.021277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:14:08.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.8M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5089, the following condition must be met: CVX must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5089, the following condition must be met: CVX must be configured:\n\n\n\n\ncvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown"
}
],
"datePublic": "2025-12-18T16:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.\u003c/p\u003e"
}
],
"value": "In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:44:45.822Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5089 has been fixed in the following releases:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\n \u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\n \u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\n \u003cli\u003e4.31.9M and later releases in the 4.31.x train\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5089 has been fixed in the following releases:\n\n\n\n * 4.34.2F and later releases in the 4.34.x train\n\n * 4.33.5M and later releases in the 4.33.x train\n\n * 4.32.7M and later releases in the 4.32.x train\n\n * 4.31.9M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1140255"
],
"discovery": "INTERNAL"
},
"title": "Arista EOS SysDB Agent Denial of Service via Malformed CVX Client/Server Messages",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is no mitigation for this issue.\u003c/p\u003e"
}
],
"value": "There is no mitigation for this issue."
}
],
"x_capecAlignment": {
"capecId": "CAPEC-125",
"capecName": "Flooding / Malformed Packet",
"justification": "The attack leverages structurally malformed message payloads communicated over a trusted client/server connection interface to trigger unhandled parser logic, inducing an agent process crash (Denial of Service)."
},
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5089",
"datePublished": "2026-06-05T15:44:45.822Z",
"dateReserved": "2025-05-22T16:26:45.461Z",
"dateUpdated": "2026-06-09T15:14:08.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5088 (GCVE-0-2025-5088)
Vulnerability from nvd – Published: 2026-06-05 15:58 – Updated: 2026-06-09 14:37
VLAI
EPSS
VEX
Title
Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session
Summary
An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0M , ≤ 4.31.8M (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-11-18 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:09:38.315441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:37:20.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.8M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx service mcs\nMcs\n Status: Enabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ ------- ------------------\n \u0026lt;Switch1\u0026gt; Enabled 1\n \ncvx1#show running-config section mcs\ncvx\n service mcs\n redis password 7 03054902151B20\n no shutdown\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf MCS Service is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx service mcs\nMcs\n Status: Disabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ -------- ------------------\n \u0026lt;Switch1\u0026gt; Disabled\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n Status: Enabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ ------- ------------------\n \u003cSwitch1\u003e Enabled 1\n \ncvx1#show running-config section mcs\ncvx\n service mcs\n redis password 7 03054902151B20\n no shutdown\n\n\n\n\nIf MCS Service is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n Status: Disabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ -------- ------------------\n \u003cSwitch1\u003e Disabled"
}
],
"datePublic": "2025-11-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.\u003c/p\u003e"
}
],
"value": "An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:58:15.288Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-5088 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.9M and later releases in the 4.31.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-5088 has been fixed in the following releases:\n\n * 4.34.2F and later releases in the 4.34.x train\n * 4.33.5M and later releases in the 4.33.x train\n * 4.32.7M and later releases in the 4.32.x train\n * 4.31.9M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1140117"
],
"discovery": "INTERNAL"
},
"title": "Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\u003c/p\u003e\u003cp\u003ePlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eLog in to the CVX Server\u003c/b\u003e\u003c/div\u003e\u003cp\u003eAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eStop Redis Before Applying Changes\u003c/b\u003e\u003c/div\u003e\u003cp\u003eIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\u003c/p\u003e\u003cp\u003eExecuting \u003ci\u003eno redis password\u003c/i\u003e stops the Redis service by removing its authentication credentials, which prevents it from running.\u003c/p\u003e\u003cpre\u003ecvx\u0026gt;enable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\u003c/pre\u003e\u003cdiv\u003e\u003cb\u003eEdit the redis.service Systemd Service File\u003c/b\u003e\u003c/div\u003e\u003cp\u003eThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\u003c/p\u003e\u003cp\u003eFirst, transition to bash mode from the CVX configuration prompt:\u003c/p\u003e\u003cpre\u003ecvx(config-cvx-mcs)#bash\u003c/pre\u003e\u003cp\u003eOnce in bash, use \u003ci\u003esudo nano\u003c/i\u003e to edit the redis.service file:\u003c/p\u003e\u003cpre\u003e[cvx ~]$sudo nano /etc/systemd/system/redis.service\u003c/pre\u003e\u003cdiv\u003e\u003cb\u003eAdd \u0027User\u0027 and \u0027Group\u0027 Directives to the [Service] Section\u003c/b\u003e\u003c/div\u003e\u003cp\u003eWithin the redis.service file, locate the [Service] section and add the following lines:\u003c/p\u003e\u003cpre\u003e[Service]\nUser=redis\nGroup=redis\u003c/pre\u003e\u003cp\u003eThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\u003c/p\u003e\u003cp\u003eSave and exit the editor.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eChange Ownership of the Redis Log File\u003c/b\u003e\u003c/div\u003e\u003cp\u003eTo ensure the redis user has appropriate write permissions for its log file, change the ownership of \u003ci\u003e/var/log/redis/redis.log\u003c/i\u003e to the redis user and group.\u003c/p\u003e\u003cpre\u003e[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\u003c/pre\u003e\u003cp\u003eThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eRestart the Redis with New Changes\u003c/b\u003e\u003c/div\u003e\u003cp\u003eAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\u003c/p\u003e\u003cp\u003eFirst, exit bash mode:\u003c/p\u003e\u003cpre\u003e[cvx ~]$exit\u003c/pre\u003e\u003cp\u003eThen, reconfigure the Redis password:\u003c/p\u003e\u003cpre\u003ecvx(config-cvx-mcs)#redis password \u0026lt;secret\u0026gt;\u003c/pre\u003e\u003cp\u003eReplace \u003ci\u003e\u0026lt;secret\u0026gt;\u003c/i\u003e with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\u003c/p\u003e\u003cp\u003e\u003cb\u003eNOTE:\u003c/b\u003e Following a CVX server reload or power cycle, all previously mentioned steps must be repeated.\u003c/p\u003e"
}
],
"value": "To run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\n\n\n\nPlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\n\nLog in to the CVX Server\n\n\n\nAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\n\nStop Redis Before Applying Changes\n\n\n\nIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\n\n\n\nExecuting no redis password stops the Redis service by removing its authentication credentials, which prevents it from running.\n\n\n\ncvx\u003eenable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\n\nEdit the redis.service Systemd Service File\n\n\n\nThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\n\n\n\nFirst, transition to bash mode from the CVX configuration prompt:\n\n\n\ncvx(config-cvx-mcs)#bash\n\n\n\nOnce in bash, use sudo nano to edit the redis.service file:\n\n\n\n[cvx ~]$sudo nano /etc/systemd/system/redis.service\n\nAdd \u0027User\u0027 and \u0027Group\u0027 Directives to the [Service] Section\n\n\n\nWithin the redis.service file, locate the [Service] section and add the following lines:\n\n\n\n[Service]\nUser=redis\nGroup=redis\n\n\n\nThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\n\n\n\nSave and exit the editor.\n\nChange Ownership of the Redis Log File\n\n\n\nTo ensure the redis user has appropriate write permissions for its log file, change the ownership of /var/log/redis/redis.log to the redis user and group.\n\n\n\n[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\n\n\n\nThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\n\nRestart the Redis with New Changes\n\n\n\nAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\n\n\n\nFirst, exit bash mode:\n\n\n\n[cvx ~]$exit\n\n\n\nThen, reconfigure the Redis password:\n\n\n\ncvx(config-cvx-mcs)#redis password \u003csecret\u003e\n\n\n\nReplace \u003csecret\u003e with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\n\n\n\nNOTE: Following a CVX server reload or power cycle, all previously mentioned steps must be repeated."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5088",
"datePublished": "2026-06-05T15:58:15.288Z",
"dateReserved": "2025-05-22T16:20:16.105Z",
"dateUpdated": "2026-06-09T14:37:20.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8873 (GCVE-0-2025-8873)
Vulnerability from nvd – Published: 2026-06-04 23:04 – Updated: 2026-06-05 18:31
VLAI
EPSS
VEX
Title
Arista EOS Dataplane Denial of Service via Malformed IPsec Packet
Summary
On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1286 - Improper Validation of Syntactic Correctness of Input
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.33.0M , ≤ 4.33.4M
(custom)
Affected: 4.32.0M , ≤ 4.32.6.1M (custom) Affected: 4.31.0M , ≤ 4.31.7.1M (custom) Affected: 4.30.0M , ≤ 4.30.10M (custom) Affected: 4.29.0M , ≤ 4.29.10.1M (custom) |
Date Public
2026-06-04 22:53
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:31:22.291972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:31:35.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"7020SRG Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6.1M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.7.1M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.10M",
"status": "affected",
"version": "4.30.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.10.1M",
"status": "affected",
"version": "4.29.0M",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf IPsec is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\nLegend: (P) policy based VPN tunnel.\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\n\n\n\n\nswitch\u003eshow ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\n\n\n\n\nIf IPsec is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\nswitch\u003eshow ip security connection\nLegend: (P) policy based VPN tunnel."
}
],
"datePublic": "2026-06-04T22:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.\u003c/p\u003e"
}
],
"value": "On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer."
}
],
"impacts": [
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1286",
"description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T23:04:56.535Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-8873 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAfter upgrading to a remediated version of software, the system TCAM profile must be changed to ipsec-egress-padding-removal:\u0026nbsp;\u003ca href=\"https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\" target=\"_blank\" rel=\"noopener noreferrer\"\u003ehttps://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\u003c/p\u003e\u003cpre\u003eswitch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\u0026nbsp;\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e:\u003c/p\u003e\u003cpre\u003eswitch(config-tcam)#show hardware tcam profile\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Configuration\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\nFixedSystem\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; ipsec-egress-padding-removal \nipsec-egress-padding-removal\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u2018\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e\u2019 differs from the \u2018\u003cb\u003eipsec\u003c/b\u003e\u2019 TCAM profile in two ways:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEgress IP ACLs are disabled\u003c/li\u003e\u003cli\u003eFixes for BUG603398 and BUG1246592 are applied\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u00a0 https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal .\n\n\n\nThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\n\n\n\nswitch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n\n\n\u00a0\n\n\n\nTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\u00a0ipsec-egress-padding-removal:\n\n\n\nswitch(config-tcam)#show hardware tcam profile\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Configuration\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Status\nFixedSystem\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ipsec-egress-padding-removal \nipsec-egress-padding-removal\n\n\n\u00a0\n\n\n\n\u2018ipsec-egress-padding-removal\u2019 differs from the \u2018ipsec\u2019 TCAM profile in two ways:\n\n * Egress IP ACLs are disabled\n * Fixes for BUG603398 and BUG1246592 are applied"
}
],
"source": {
"advisory": "127",
"defect": [
"BUG 1246592"
],
"discovery": "EXTERNAL"
},
"title": "Arista EOS Dataplane Denial of Service via Malformed IPsec Packet",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere are no mitigations for this vulnerability.\u003c/p\u003e"
}
],
"value": "There are no mitigations for this vulnerability."
}
],
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-8873",
"datePublished": "2026-06-04T23:04:56.535Z",
"dateReserved": "2025-08-11T18:28:43.460Z",
"dateUpdated": "2026-06-05T18:31:35.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-27892 (GCVE-0-2024-27892)
Vulnerability from nvd – Published: 2026-06-04 22:33 – Updated: 2026-06-05 18:30
VLAI
EPSS
VEX
Title
On affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected (SSL Profiles Enabled).
Summary
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.31.0 , ≤ 4.31.2F
(custom)
Affected: 4.30.0 , ≤ 4.30.5M (custom) Affected: 4.29.0 , ≤ 4.29.7M (custom) Affected: 4.28.0 , ≤ 4.28.10M (custom) Affected: 4.27.0 , ≤ 4.27.8M (custom) Affected: 4.26.0 , ≤ 4.26.9M (custom) Affected: 4.25.0 , ≤ 4.25.10M (custom) Affected: 4.24.0 , ≤ 4.24.11M (custom) |
Date Public
2024-07-02 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:30:07.883215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:30:17.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"710 Series",
"720D Series",
"720XP/722XPM Series",
"750X Series",
"7010 Series",
"7010X Series",
"7020R Series",
"7130 Series running EOS",
"7150 Series",
"7160 Series",
"7170 Series",
"7050X/X2/X3/X4 Series",
"7060X/X2/X4/X5/X6 Series",
"7250X Series",
"7260X/X3 Series",
"7280E/R/R2/R3 Series",
"7300X/X3 Series",
"7320X Series",
"7358X4 Series",
"7368X4 Series",
"7388X5 Series",
"7500E/R/R2/R3 Series",
"7800R3 Series",
"CloudEOS",
"cEOS-lab",
"vEOS-lab",
"AWE 5000 Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.31.2F",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.5M",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.7M",
"status": "affected",
"version": "4.29.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.10M",
"status": "affected",
"version": "4.28.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.8M",
"status": "affected",
"version": "4.27.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.26.9M",
"status": "affected",
"version": "4.26.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.25.10M",
"status": "affected",
"version": "4.25.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.24.11M",
"status": "affected",
"version": "4.24.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-27892, the only condition is that OpenConfig must be enabled with an SSL profile:\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: profile-name\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\u003c/pre\u003e\u003cbr\u003e\u003cp\u003eIf OpenConfig is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\u003cpre\u003eswitch(config)#show management api gnmi\nEnabled: no transports enabled\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2024-27892, the only condition is that OpenConfig must be enabled with an SSL profile:\n\nswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: profile-name\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n\nIf OpenConfig is not configured there is no exposure to this issue and the message will look like:\n\nswitch(config)#show management api gnmi\nEnabled: no transports enabled"
}
],
"datePublic": "2024-07-02T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eAffected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T22:33:15.792Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19862-security-advisory-0099"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003cbr\u003eFor more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2024-27892 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.31.3M and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.6M and later release in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.8M and later releases in the 4.29.x train\u003c/li\u003e\u003cli\u003e4.28.11M and later releases in the 4.28.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\nFor more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-27892 has been fixed in the following releases:\n * 4.31.3M and later releases in the 4.31.x train\n * 4.30.6M and later release in the 4.30.x train\n * 4.29.8M and later releases in the 4.29.x train\n * 4.28.11M and later releases in the 4.28.x train"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe following hotfix can be applied to remediate CVE-2024-27892. The hotfix only applies to the releases listed below and no other releases.\u003c/p\u003e\u003cp\u003eNote: Installing/uninstalling the SWIX will cause the OpenConfig/Octa process to restart. Services may be unavailable for up to one minute.\u003c/p\u003eEOS Versions 4.30.5\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e85ec967b17231edd542800a4a5b305de93308ba5365c858470e7ce848bbc6c357be614f2f668b4a1d93c7afa2cb5e62ac12efda00874f6801dff35351da9ed93\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e263331d15057c38e2e9c4af20f9795989ec962dc159c3136f4eb2e2370859866534b44a17ba9c2ec3249071ccfe83eb0047960693864de532de44fe36766fd70\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eEOS Versions 4.29.7\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e0317d77d621fa648aa15d607c6db1a8f648da82e14e0886aea0525e0d726ff83a0ed507755b733d1644797dece85203dfe6998b65108b10ba5a9b9be8f57c4f0\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003ed6d1d806fbd80d9d3972d8bb965b82cf1241c166ce960ff2af12de084c17160433188683fe48d5e3f24ba996e4b4262e95998683c50f80ce2f870fd3f02cbdc4\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eEOS Versions 4.28.10.1\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e12ec36dd68decff5d81f68504dfdba0c01697153366c6de01ac5189c0250516a01d0128179155b21bd028cbbc1b634e8bc143244a2bed089824d4dc4b6c92449\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e2f01a806867d6ffc95bef907164b3c92058382ccda5af006f66f350575a235a6f1ed491974b68dc952947d7cf9897028efa2266411e380da6a646719a420ec52\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eFor instructions on installation and verification of the hotfix patch, refer to the\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-managing-eos-extensions?searchword=eos%20section%206%206%20managing%20eos%20extensions\" target=\"_blank\" rel=\"noopener noreferrer\"\u003e\u201cmanaging eos extensions\u201d\u003c/a\u003e\u0026nbsp;section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command \u2018copy installed-extensions boot-extensions\u2019.\u003c/p\u003e"
}
],
"value": "The following hotfix can be applied to remediate CVE-2024-27892. The hotfix only applies to the releases listed below and no other releases.\n\n\n\nNote: Installing/uninstalling the SWIX will cause the OpenConfig/Octa process to restart. Services may be unavailable for up to one minute.\n\nEOS Versions 4.30.5\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n85ec967b17231edd542800a4a5b305de93308ba5365c858470e7ce848bbc6c357be614f2f668b4a1d93c7afa2cb5e62ac12efda00874f6801dff35351da9ed93\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n263331d15057c38e2e9c4af20f9795989ec962dc159c3136f4eb2e2370859866534b44a17ba9c2ec3249071ccfe83eb0047960693864de532de44fe36766fd70\n\n\u00a0\n\nEOS Versions 4.29.7\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n0317d77d621fa648aa15d607c6db1a8f648da82e14e0886aea0525e0d726ff83a0ed507755b733d1644797dece85203dfe6998b65108b10ba5a9b9be8f57c4f0\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\nd6d1d806fbd80d9d3972d8bb965b82cf1241c166ce960ff2af12de084c17160433188683fe48d5e3f24ba996e4b4262e95998683c50f80ce2f870fd3f02cbdc4\n\n\u00a0\n\nEOS Versions 4.28.10.1\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n12ec36dd68decff5d81f68504dfdba0c01697153366c6de01ac5189c0250516a01d0128179155b21bd028cbbc1b634e8bc143244a2bed089824d4dc4b6c92449\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n2f01a806867d6ffc95bef907164b3c92058382ccda5af006f66f350575a235a6f1ed491974b68dc952947d7cf9897028efa2266411e380da6a646719a420ec52\n\n\u00a0\n\n\n\nFor instructions on installation and verification of the hotfix patch, refer to the\u00a0 \u201cmanaging eos extensions\u201d https://www.arista.com/en/um-eos/eos-managing-eos-extensions \u00a0section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command \u2018copy installed-extensions boot-extensions\u2019."
}
],
"source": {
"advisory": "0099",
"defect": [
"BUG 912475"
],
"discovery": "INTERNAL"
},
"title": "On affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected (SSL Profiles Enabled).",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe workaround is to disable gNMI Set requests. This can be done by applying per RPC authorization and ensuring no user is authorized to run the OpenConfig.Set command.\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#show management api gnmi transport grpc default authorization requests\u003c/pre\u003e\u003cp\u003eAlternatively, TLS can be disabled:\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#no ssl profile\u003c/pre\u003e\u003cp\u003eAlternatively, the OpenConfig agent can be disabled entirely:\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#no management api gnmi\u003c/pre\u003e"
}
],
"value": "The workaround is to disable gNMI Set requests. This can be done by applying per RPC authorization and ensuring no user is authorized to run the OpenConfig.Set command.\n\nswitch(config-gnmi-transport-default)#show management api gnmi transport grpc default authorization requests\n\nAlternatively, TLS can be disabled:\n\nswitch(config-gnmi-transport-default)#no ssl profile\n\nAlternatively, the OpenConfig agent can be disabled entirely:\n\nswitch(config-gnmi-transport-default)#no management api gnmi"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-27892",
"datePublished": "2026-06-04T22:33:15.792Z",
"dateReserved": "2024-02-26T18:06:32.161Z",
"dateUpdated": "2026-06-05T18:30:17.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-27891 (GCVE-0-2024-27891)
Vulnerability from nvd – Published: 2026-06-04 22:08 – Updated: 2026-06-05 18:28
VLAI
EPSS
VEX
Title
On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports.
Summary
On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.32.0 , ≤ 4.32.0.1F
(custom)
Affected: 4.31.0 , ≤ 4.31.2F (custom) Affected: 4.30.0 , ≤ 4.30.6M (custom) Affected: 4.29.0 , ≤ 4.29.7M (custom) Affected: 4.28.0 , ≤ 4.28.10.1M (custom) Affected: 4.27.2F , < 4.28.0 (custom) |
Date Public
2024-07-23 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:28:35.666431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:28:50.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"722XPM Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.32.0.1F",
"status": "affected",
"version": "4.32.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.2F",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.6M",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.7M",
"status": "affected",
"version": "4.29.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.10.1M",
"status": "affected",
"version": "4.28.0",
"versionType": "custom"
},
{
"lessThan": "4.28.0",
"status": "affected",
"version": "4.27.2F",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-27891, multiple specific conditions must be met. Both MACsec and egress ACLs must be configured and active on the same interface as the minimum requirements for this issue to be exposed. Please review the following sections to identify if your organization is affected.\u003c/p\u003e\u003col\u003e\u003cli\u003eMACsec must be configured:\u003cbr\u003e\u003cpre\u003eswitch\u0026gt;show mac security status\nAdministrative State: \u0026nbsp; \u0026nbsp; enabled\nActive Profiles:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 1\nData Delay Protection:\u0026nbsp; \u0026nbsp; no\nEAPoL Destination MAC:\u0026nbsp; \u0026nbsp; 0180.c200.0003\nFIPS Mode:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; no\nSecured Interfaces: \u0026nbsp; \u0026nbsp; \u0026nbsp; 54\nLicense:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; enabled\n\u003c/pre\u003e\u003cp\u003e\u003cb\u003eNote:\u003c/b\u003e\u0026nbsp;active profiles is not 0, and number of secured interfaces is not 0\u003c/p\u003e\u003cdiv\u003eIf MACsec is not configured there is no exposure to this issue and the message will include 0 Active Profiles, and 0 Secured Interfaces.\u003c/div\u003e\u003cpre\u003eswitch\u0026gt;show mac security status\nAdministrative State: \u0026nbsp; \u0026nbsp; enabled\nActive Profiles:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0\nData Delay Protection:\u0026nbsp; \u0026nbsp; no\nEAPoL Destination MAC:\u0026nbsp; \u0026nbsp; 0180.c200.0003\nFIPS Mode:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; no\nSecured Interfaces: \u0026nbsp; \u0026nbsp; \u0026nbsp; 0\nLicense:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; disabled (Hardware license not enabled)\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003c/li\u003e\u003cli\u003eAccess Control Lists (ACLs) must be configured for outbound packets:\u003cbr\u003e\u003cpre\u003eswitch#show running-config | section access-list\nipv6 access-list testIp6Acl\nip access-list testIpAcl\nmac access-list testMacAcl\n \nswitch#show running-config | section access-group\ninterface Ethernet1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl out\n\u003c/pre\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "In order to be vulnerable to CVE-2024-27891, multiple specific conditions must be met. Both MACsec and egress ACLs must be configured and active on the same interface as the minimum requirements for this issue to be exposed. Please review the following sections to identify if your organization is affected.\n\n * MACsec must be configured:\n\n\nswitch\u003eshow mac security status\nAdministrative State: \u00a0 \u00a0 enabled\nActive Profiles:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 1\nData Delay Protection:\u00a0 \u00a0 no\nEAPoL Destination MAC:\u00a0 \u00a0 0180.c200.0003\nFIPS Mode:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 no\nSecured Interfaces: \u00a0 \u00a0 \u00a0 54\nLicense:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 enabled\n\n\n\n\nNote:\u00a0active profiles is not 0, and number of secured interfaces is not 0\n\nIf MACsec is not configured there is no exposure to this issue and the message will include 0 Active Profiles, and 0 Secured Interfaces.\n\n\n\nswitch\u003eshow mac security status\nAdministrative State: \u00a0 \u00a0 enabled\nActive Profiles:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\nData Delay Protection:\u00a0 \u00a0 no\nEAPoL Destination MAC:\u00a0 \u00a0 0180.c200.0003\nFIPS Mode:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 no\nSecured Interfaces: \u00a0 \u00a0 \u00a0 0\nLicense:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 disabled (Hardware license not enabled)\n\n\n\u00a0\n\n\n * Access Control Lists (ACLs) must be configured for outbound packets:\n\n\nswitch#show running-config | section access-list\nipv6 access-list testIp6Acl\nip access-list testIpAcl\nmac access-list testMacAcl\n \nswitch#show running-config | section access-group\ninterface Ethernet1\n\u00a0\u00a0\u00a0ip access-group testIpAcl out"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe total number of ACLs configured must be any of the following:\u003c/div\u003e\u003col\u003e\u003cli\u003eMore than 3 MAC ACLs, or\u003c/li\u003e\u003cli\u003eMore than 7 IPv4 ACLs, or\u003c/li\u003e\u003cli\u003eMore than 3 IPv6 ACLs\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eIf for each ACL type in use, there are less than the above corresponding number configured there is no exposure to this issue.\u003c/p\u003e\u003cdiv\u003eIf ACLs are not configured for outbound packets there is no exposure to this issue and the message will look like:\u003c/div\u003e\u003cpre\u003e! Notice no output below, indicating no ACLs configured\n! or notice ACLs are applied as \u201cin\u201d only.\nswitch#show running-config | section access-list\nswitch#\nswitch#show running-config | section access-group\ninterface Ethernet1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl in\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf no interfaces which have ACLs configured for outbound packets have MACsec configured, there is no exposure to this issue.\u003c/p\u003e\u003cp\u003eNote that interface types such as Vlan interfaces, or Port-Channel interfaces may have none, one or multiple physical interfaces.\u003c/p\u003e\u003cp\u003eTo check for MACsec configuration, first resolve the access-group configured interfaces to a list of all Ethernet physical interfaces.\u003c/p\u003e\u003cp\u003eIn the example below, there is an ACL applied to Port-Channel1 (Ethernet1, Ethernet5), Vlan613 (Ethernet2, Ethernet4) and Ethernet3. Therefore Ethernet1-5 should be checked to see if MACsec is enabled.\u003c/p\u003e\u003cpre\u003eswitch#show running-config | section access-group\ninterface Port-Channel1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl out\ninterface Ethernet3\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl in\ninterface Vlan613\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl out\n \nswitch\u0026gt;show port-channel 1 brief\nPort Channel Port-Channel1:\n\u0026nbsp;\u0026nbsp;Active Ports: Ethernet1 Ethernet5\n \nswitch\u0026gt;show vlan 613\nVLAN\u0026nbsp; Name \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\u0026nbsp; \u0026nbsp; Ports\n----- -------------------------------- --------- -------------------------------\n613 \u0026nbsp; VLAN0613 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; active\u0026nbsp; \u0026nbsp; Cpu, Et2, Et4\n \nswitch\u0026gt;show mac security interface Ethernet1-5\nInterface \u0026nbsp; \u0026nbsp; \u0026nbsp; SCI \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Controlled Port\u0026nbsp; \u0026nbsp; \u0026nbsp; Key in Use\nEthernet1 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\nEthernet2 \u0026nbsp; \u0026nbsp; \u0026nbsp; 00:00:00:00:00:00::0\u0026nbsp; \u0026nbsp; \u0026nbsp; False\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; None\nEthernet5 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\n\u003c/pre\u003e\u003cp\u003eIn the above example Ethernet1 and Ethernet5 have MACsec enabled.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "The total number of ACLs configured must be any of the following:\n\n * More than 3 MAC ACLs, or\n * More than 7 IPv4 ACLs, or\n * More than 3 IPv6 ACLs\n\n\nIf for each ACL type in use, there are less than the above corresponding number configured there is no exposure to this issue.\n\nIf ACLs are not configured for outbound packets there is no exposure to this issue and the message will look like:\n\n\n\n! Notice no output below, indicating no ACLs configured\n! or notice ACLs are applied as \u201cin\u201d only.\nswitch#show running-config | section access-list\nswitch#\nswitch#show running-config | section access-group\ninterface Ethernet1\n\u00a0\u00a0\u00a0ip access-group testIpAcl in\n\n\n\u00a0\n\n\n\nIf no interfaces which have ACLs configured for outbound packets have MACsec configured, there is no exposure to this issue.\n\n\n\nNote that interface types such as Vlan interfaces, or Port-Channel interfaces may have none, one or multiple physical interfaces.\n\n\n\nTo check for MACsec configuration, first resolve the access-group configured interfaces to a list of all Ethernet physical interfaces.\n\n\n\nIn the example below, there is an ACL applied to Port-Channel1 (Ethernet1, Ethernet5), Vlan613 (Ethernet2, Ethernet4) and Ethernet3. Therefore Ethernet1-5 should be checked to see if MACsec is enabled.\n\n\n\nswitch#show running-config | section access-group\ninterface Port-Channel1\n\u00a0\u00a0\u00a0ipv6 access-group testIp6Acl out\ninterface Ethernet3\n\u00a0\u00a0\u00a0ip access-group testIpAcl in\ninterface Vlan613\n\u00a0\u00a0\u00a0ip access-group testIpAcl out\n \nswitch\u003eshow port-channel 1 brief\nPort Channel Port-Channel1:\n\u00a0\u00a0Active Ports: Ethernet1 Ethernet5\n \nswitch\u003eshow vlan 613\nVLAN\u00a0 Name \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Status\u00a0 \u00a0 Ports\n----- -------------------------------- --------- -------------------------------\n613 \u00a0 VLAN0613 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 active\u00a0 \u00a0 Cpu, Et2, Et4\n \nswitch\u003eshow mac security interface Ethernet1-5\nInterface \u00a0 \u00a0 \u00a0 SCI \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Controlled Port\u00a0 \u00a0 \u00a0 Key in Use\nEthernet1 \u00a0 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\nEthernet2 \u00a0 \u00a0 \u00a0 00:00:00:00:00:00::0\u00a0 \u00a0 \u00a0 False\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 None\nEthernet5 \u00a0 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\n\n\n\n\nIn the above example Ethernet1 and Ethernet5 have MACsec enabled."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn the example below, there are more than 3 IPv6 ACLs applied for outbound packets. All physical interfaces that are MACsec enabled, and have an IPv6 ACL applied for outbound packets, are exposed to this issue.\u003c/p\u003e\u003cpre\u003eswitch#show running-config | section access-group\ninterface Port-Channel1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl out\ninterface Ethernet3\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl in\ninterface Ethernet45\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl2 out\ninterface Ethernet46\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl3 out\ninterface Ethernet47\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl4 out\ninterface Vlan613\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl out\n \nswitch\u0026gt;show port-channel 1 brief\nPort Channel Port-Channel1:\n\u0026nbsp;\u0026nbsp;Active Ports: Ethernet1 Ethernet5\n \nswitch\u0026gt;show vlan 613\nVLAN\u0026nbsp; Name \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\u0026nbsp; \u0026nbsp; Ports\n----- -------------------------------- --------- -------------------------------\n613 \u0026nbsp; VLAN0613 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; active\u0026nbsp; \u0026nbsp; Cpu, Et2, Et4\n \nswitch\u0026gt;show mac security interface Ethernet1-$ | grep True\nEthernet1 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\nEthernet2 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\nEthernet5 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\nEthernet45 \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cb\u003eInterface\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003e\u201cOut\u201d ACL\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003eMinimum ACL count met\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003eMACsec enabled\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003eAffected\u003c/b\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eEt1\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt2\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo (only one IPv4 ACL)\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt3\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo (only one IPv4 ACL)\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt4\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo (only one IPv4 ACL)\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt5\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt45\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt46\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt47\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eIn the above example and table:\u003c/div\u003e\u003cul\u003e\u003cli\u003eEthernet46 and Ethernet47 are not exposed to this issue, because they are not MACsec enabled.\u003c/li\u003e\u003cli\u003eEthernet2, Ethernet3, and Ethernet4 are not exposed to this issue because there is only one IPv4 ACL group, which is less than the required number to be exposed for that ACL type.\u003c/li\u003e\u003cli\u003eEthernet3 is also not affected because the ACL is for incoming packets.\u003c/li\u003e\u003cli\u003eEthernet1, Ethernet5, and Ethernet45 are affected by this issue because they meet the conditions required.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "In the example below, there are more than 3 IPv6 ACLs applied for outbound packets. All physical interfaces that are MACsec enabled, and have an IPv6 ACL applied for outbound packets, are exposed to this issue.\n\n\n\nswitch#show running-config | section access-group\ninterface Port-Channel1\n\u00a0\u00a0\u00a0ipv6 access-group testIp6Acl out\ninterface Ethernet3\n\u00a0\u00a0\u00a0ip access-group testIpAcl in\ninterface Ethernet45\n\u00a0\u00a0\u00a0ipv6 access-group testIp6Acl2 out\ninterface Ethernet46\n\u00a0\u00a0\u00a0ipv6 access-group testIp6Acl3 out\ninterface Ethernet47\n\u00a0\u00a0\u00a0ipv6 access-group testIp6Acl4 out\ninterface Vlan613\n\u00a0\u00a0\u00a0ip access-group testIpAcl out\n \nswitch\u003eshow port-channel 1 brief\nPort Channel Port-Channel1:\n\u00a0\u00a0Active Ports: Ethernet1 Ethernet5\n \nswitch\u003eshow vlan 613\nVLAN\u00a0 Name \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Status\u00a0 \u00a0 Ports\n----- -------------------------------- --------- -------------------------------\n613 \u00a0 VLAN0613 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 active\u00a0 \u00a0 Cpu, Et2, Et4\n \nswitch\u003eshow mac security interface Ethernet1-$ | grep True\nEthernet1 \u00a0 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\nEthernet2 \u00a0 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\nEthernet5 \u00a0 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\nEthernet45 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\n\n\n\u00a0\n\nInterface\u201cOut\u201d ACLMinimum ACL count metMACsec enabledAffectedEt1YesYesYesYesEt2YesNo (only one IPv4 ACL)YesNoEt3NoNo (only one IPv4 ACL)NoNoEt4YesNo (only one IPv4 ACL)NoNoEt5YesYesYesYesEt45YesYesYesYesEt46YesYesNoNoEt47YesYesNoNo\n\n\u00a0\n\nIn the above example and table:\n\n * Ethernet46 and Ethernet47 are not exposed to this issue, because they are not MACsec enabled.\n * Ethernet2, Ethernet3, and Ethernet4 are not exposed to this issue because there is only one IPv4 ACL group, which is less than the required number to be exposed for that ACL type.\n * Ethernet3 is also not affected because the ACL is for incoming packets.\n * Ethernet1, Ethernet5, and Ethernet45 are affected by this issue because they meet the conditions required."
}
],
"datePublic": "2024-07-23T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eOn affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T22:08:42.522Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19908-security-advisory-0102"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003cbr\u003eFor more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2024-27891 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.32.1F and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.3M and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.7M and later releases in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.8M and later releases in the 4.29.x train\u003c/li\u003e\u003cli\u003e4.28.11M and later releases in the 4.28.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\nFor more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-27891 has been fixed in the following releases:\n\n * 4.32.1F and later releases in the 4.32.x train \n * 4.31.3M and later releases in the 4.31.x train\n * 4.30.7M and later releases in the 4.30.x train\n * 4.29.8M and later releases in the 4.29.x train\n * 4.28.11M and later releases in the 4.28.x train"
}
],
"source": {
"advisory": "102",
"defect": [
"BUG 906098"
],
"discovery": "INTERNAL"
},
"title": "On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports.",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe workaround is to disable MACsec on interfaces with outbound packet ACLs, or to use inbound packet ACLs where possible. Note that ingress ACLs might need to be applied to a different set of interfaces or to other devices in the network.\u003c/p\u003e\u003cpre\u003eswitch#configure\u003cbr\u003eswitch(config)#interface Ethernet1\nswitch(config-if-Et1)#no mac security profile\n \n! or remove/replace the `out` ACL\n! Note that you may wish to apply `in` ACLs to a different set of\n! interfaces than `out` ACLs were applied to.\n \nswitch#configure\u003cbr\u003eswitch(config)#interface Ethernet1\nswitch(config-if-Et1)#mac access-group \u0026lt;ACL name\u0026gt; in\nswitch(config-if-Et1)#ip access-group \u0026lt;ACL name\u0026gt; in\nswitch(config-if-Et1)#ipv6 access-group \u0026lt;ACL name\u0026gt; in\nswitch(config-if-Et1)#no mac access-group out\nswitch(config-if-Et1)#no ip access-group out\nswitch(config-if-Et1)#no ipv6 access-group out\n\u003c/pre\u003e\u003cp\u003eFor more information about ACLs see\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-acls-and-route-maps\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: ACLs and Route Maps\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "The workaround is to disable MACsec on interfaces with outbound packet ACLs, or to use inbound packet ACLs where possible. Note that ingress ACLs might need to be applied to a different set of interfaces or to other devices in the network.\n\n\n\nswitch#configure\nswitch(config)#interface Ethernet1\nswitch(config-if-Et1)#no mac security profile\n \n! or remove/replace the `out` ACL\n! Note that you may wish to apply `in` ACLs to a different set of\n! interfaces than `out` ACLs were applied to.\n \nswitch#configure\nswitch(config)#interface Ethernet1\nswitch(config-if-Et1)#mac access-group \u003cACL name\u003e in\nswitch(config-if-Et1)#ip access-group \u003cACL name\u003e in\nswitch(config-if-Et1)#ipv6 access-group \u003cACL name\u003e in\nswitch(config-if-Et1)#no mac access-group out\nswitch(config-if-Et1)#no ip access-group out\nswitch(config-if-Et1)#no ipv6 access-group out\n\n\n\n\nFor more information about ACLs see\u00a0 EOS User Manual: ACLs and Route Maps https://www.arista.com/en/um-eos/eos-acls-and-route-maps ."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-27891",
"datePublished": "2026-06-04T22:08:42.522Z",
"dateReserved": "2024-02-26T18:06:32.161Z",
"dateUpdated": "2026-06-05T18:28:50.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-27890 (GCVE-0-2024-27890)
Vulnerability from nvd – Published: 2026-06-04 22:27 – Updated: 2026-06-05 18:29
VLAI
EPSS
VEX
Title
On affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected (No SSL Profiles Enabled).
Summary
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.29.0 , ≤ 4.29.7M
(custom)
Affected: 4.28.0 , ≤ 4.28.10M (custom) Affected: 4.27.0 , ≤ 4.27.8M (custom) Affected: 4.26.0 , ≤ 4.26.9M (custom) Affected: 4.25.0 , ≤ 4.25.10M (custom) Affected: 4.24.0 , ≤ 4.24.11M (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:29:18.470860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:29:28.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"710 Series",
"720D Series",
"720XP/722XPM Series",
"750X Series",
"7010 Series",
"7010X Series",
"7020R Series",
"7130 Series running EOS",
"7150 Series",
"7160 Series",
"7170 Series",
"7050X/X2/X3/X4 Series",
"7060X/X2/X4/X5/X6 Series",
"7250X Series",
"7260X/X3 Series",
"7280E/R/R2/R3 Series",
"7300X/X3 Series",
"7320X Series",
"7358X4 Series",
"7368X4 Series",
"7388X5 Series",
"7500E/R/R2/R3 Series",
"7800R3 Series",
"CloudEOS",
"cEOS-lab",
"vEOS-lab",
"AWE 5000 Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.29.7M",
"status": "affected",
"version": "4.29.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.10M",
"status": "affected",
"version": "4.28.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.8M",
"status": "affected",
"version": "4.27.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.26.9M",
"status": "affected",
"version": "4.26.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.25.10M",
"status": "affected",
"version": "4.25.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.24.11M",
"status": "affected",
"version": "4.24.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-27890, the only condition is that OpenConfig must be enabled:\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\u003c/pre\u003e\u003cbr\u003e\u003cp\u003eIf OpenConfig is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\u003cpre\u003eswitch(config)#show management api gnmi\nEnabled: no transports enabled\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2024-27890, the only condition is that OpenConfig must be enabled:\n\nswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n\nIf OpenConfig is not configured there is no exposure to this issue and the message will look like:\n\nswitch(config)#show management api gnmi\nEnabled: no transports enabled"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eAffected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T22:27:36.610Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19862-security-advisory-0099"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003cbr\u003eFor more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2024-27890 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.30.0M and onwards\u003c/li\u003e\u003cli\u003e4.29.8M and later releases in the 4.29.x train\u003c/li\u003e\u003cli\u003e4.28.11M and later releases in the 4.28.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\nFor more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-27890 has been fixed in the following releases:\n * 4.30.0M and onwards\n * 4.29.8M and later releases in the 4.29.x train\n * 4.28.11M and later releases in the 4.28.x train"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe following hotfix can be applied to remediate CVE-2024-27890. The hotfix only applies to the releases listed below and no other releases.\u003c/p\u003e\u003cp\u003eNote: Installing/uninstalling the SWIX will cause the OpenConfig/Octa process to restart. Services may be unavailable for up to one minute.\u003c/p\u003eEOS Versions 4.30.5\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e85ec967b17231edd542800a4a5b305de93308ba5365c858470e7ce848bbc6c357be614f2f668b4a1d93c7afa2cb5e62ac12efda00874f6801dff35351da9ed93\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e263331d15057c38e2e9c4af20f9795989ec962dc159c3136f4eb2e2370859866534b44a17ba9c2ec3249071ccfe83eb0047960693864de532de44fe36766fd70\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eEOS Versions 4.29.7\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e0317d77d621fa648aa15d607c6db1a8f648da82e14e0886aea0525e0d726ff83a0ed507755b733d1644797dece85203dfe6998b65108b10ba5a9b9be8f57c4f0\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003ed6d1d806fbd80d9d3972d8bb965b82cf1241c166ce960ff2af12de084c17160433188683fe48d5e3f24ba996e4b4262e95998683c50f80ce2f870fd3f02cbdc4\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eEOS Versions 4.28.10.1\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e12ec36dd68decff5d81f68504dfdba0c01697153366c6de01ac5189c0250516a01d0128179155b21bd028cbbc1b634e8bc143244a2bed089824d4dc4b6c92449\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e2f01a806867d6ffc95bef907164b3c92058382ccda5af006f66f350575a235a6f1ed491974b68dc952947d7cf9897028efa2266411e380da6a646719a420ec52\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eFor instructions on installation and verification of the hotfix patch, refer to the\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-managing-eos-extensions?searchword=eos%20section%206%206%20managing%20eos%20extensions\" target=\"_blank\" rel=\"noopener noreferrer\"\u003e\u201cmanaging eos extensions\u201d\u003c/a\u003e\u0026nbsp;section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command \u2018copy installed-extensions boot-extensions\u2019.\u003c/p\u003e"
}
],
"value": "The following hotfix can be applied to remediate CVE-2024-27890. The hotfix only applies to the releases listed below and no other releases.\n\n\n\nNote: Installing/uninstalling the SWIX will cause the OpenConfig/Octa process to restart. Services may be unavailable for up to one minute.\n\nEOS Versions 4.30.5\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n85ec967b17231edd542800a4a5b305de93308ba5365c858470e7ce848bbc6c357be614f2f668b4a1d93c7afa2cb5e62ac12efda00874f6801dff35351da9ed93\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n263331d15057c38e2e9c4af20f9795989ec962dc159c3136f4eb2e2370859866534b44a17ba9c2ec3249071ccfe83eb0047960693864de532de44fe36766fd70\n\n\u00a0\n\nEOS Versions 4.29.7\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n0317d77d621fa648aa15d607c6db1a8f648da82e14e0886aea0525e0d726ff83a0ed507755b733d1644797dece85203dfe6998b65108b10ba5a9b9be8f57c4f0\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\nd6d1d806fbd80d9d3972d8bb965b82cf1241c166ce960ff2af12de084c17160433188683fe48d5e3f24ba996e4b4262e95998683c50f80ce2f870fd3f02cbdc4\n\n\u00a0\n\nEOS Versions 4.28.10.1\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n12ec36dd68decff5d81f68504dfdba0c01697153366c6de01ac5189c0250516a01d0128179155b21bd028cbbc1b634e8bc143244a2bed089824d4dc4b6c92449\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n2f01a806867d6ffc95bef907164b3c92058382ccda5af006f66f350575a235a6f1ed491974b68dc952947d7cf9897028efa2266411e380da6a646719a420ec52\n\n\u00a0\n\n\n\nFor instructions on installation and verification of the hotfix patch, refer to the\u00a0 \u201cmanaging eos extensions\u201d https://www.arista.com/en/um-eos/eos-managing-eos-extensions \u00a0section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command \u2018copy installed-extensions boot-extensions\u2019."
}
],
"source": {
"advisory": "0099",
"defect": [
"BUG 747512"
],
"discovery": "INTERNAL"
},
"title": "On affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected (No SSL Profiles Enabled).",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe workaround to mitigate this vulnerability is to disable the OpenConfig agent entirely:\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#no management api gnmi\u003cbr\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eAlternatively for both, the OpenConfig agent can be disabled.\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#no management api gnmi\u003c/pre\u003e\u003c/pre\u003e"
}
],
"value": "The workaround to mitigate this vulnerability is to disable the OpenConfig agent entirely:\n\n\n\nswitch(config-gnmi-transport-default)#no management api gnmi\n\n\n\n\n\n\n\nAlternatively for both, the OpenConfig agent can be disabled.\n\n\n\nswitch(config-gnmi-transport-default)#no management api gnmi"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-27890",
"datePublished": "2026-06-04T22:27:36.610Z",
"dateReserved": "2024-02-26T18:06:32.160Z",
"dateUpdated": "2026-06-05T18:29:28.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5502 (GCVE-0-2023-5502)
Vulnerability from nvd – Published: 2026-06-04 22:39 – Updated: 2026-06-05 18:30
VLAI
EPSS
VEX
Title
On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, a malicious supplicant may bypass authentication.
Summary
On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.31.0 , ≤ 4.31.0F
(custom)
Affected: 4.30.0 , ≤ 4.30.4M (custom) Affected: 4.29.0 , ≤ 4.29.6M (custom) Affected: 4.28.0 , ≤ 4.28.8M (custom) Affected: 4.27.0 , ≤ 4.27.11M (custom) Affected: 4.26.0 , ≤ 4.26.11M (custom) Affected: 4.25.0 , ≤ 4.25.11M (custom) Affected: 4.24.0 , ≤ 4.24.11M (custom) |
Date Public
2024-05-21 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:30:41.122247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:30:54.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"7020R Series",
"7280R/R2 Series",
"7500R/R2 Series",
"7280E Series",
"7500E Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.31.0F",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.4M",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.6M",
"status": "affected",
"version": "4.29.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.8M",
"status": "affected",
"version": "4.28.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.11M",
"status": "affected",
"version": "4.27.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.26.11M",
"status": "affected",
"version": "4.26.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.25.11M",
"status": "affected",
"version": "4.25.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.24.11M",
"status": "affected",
"version": "4.24.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2023-5502, either of the following configuration conditions must be met:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCondition 1: Dot1x authentication must be configured:\u003c/strong\u003e\u003c/p\u003e\u003cpre\u003edot1x system-auth-control\ninterface Ethernet1\n dot1x pae authenticator\n dot1x port-control auto\n !! One of the two configuration lines below MUST be set\n dot1x host-mode single-host\n dot1x host-mode multi-host authenticated\ninterface Vlan100\n ip address 1.1.1.1/24\n ip routing\u003c/pre\u003e\u003cbr\u003e\u003cp\u003e\u003cstrong\u003eCondition 2: 802.1x configured in any host mode with MBA:\u003c/strong\u003e\u003c/p\u003e\u003cpre\u003edot1x system-auth-control\ninterface Ethernet1\n dot1x pae authenticator\n dot1x port-control auto\n dot1x mac based authentication\n !! One of the three configuration lines below MUST be set\n dot1x host-mode single-host\n dot1x host-mode multi-host authenticated\n dot1x host-mode multi-host\ninterface Vlan100\n ip address 1.1.1.1/24\n ip routing\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2023-5502, either of the following configuration conditions must be met:\n\nCondition 1: Dot1x authentication must be configured:\n\ndot1x system-auth-control\ninterface Ethernet1\n dot1x pae authenticator\n dot1x port-control auto\n !! One of the two configuration lines below MUST be set\n dot1x host-mode single-host\n dot1x host-mode multi-host authenticated\ninterface Vlan100\n ip address 1.1.1.1/24\n ip routing\n\nCondition 2: 802.1x configured in any host mode with MBA:\n\ndot1x system-auth-control\ninterface Ethernet1\n dot1x pae authenticator\n dot1x port-control auto\n dot1x mac based authentication\n !! One of the three configuration lines below MUST be set\n dot1x host-mode single-host\n dot1x host-mode multi-host authenticated\n dot1x host-mode multi-host\ninterface Vlan100\n ip address 1.1.1.1/24\n ip routing"
}
],
"datePublic": "2024-05-21T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eOn affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T22:39:34.101Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19462-security-advisory-0096"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003cbr\u003eFor more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2023-5502 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.32.0F and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.3M and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.5M and later releases in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.7M and later releases in the 4.29.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eNote: Products 7280E and 7500E are EOL, and there are no released versions of EOS which fix the issue on those platforms.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\nFor more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2023-5502 has been fixed in the following releases:\n * 4.32.0F and later releases in the 4.32.x train\n * 4.31.3M and later releases in the 4.31.x train\n * 4.30.5M and later releases in the 4.30.x train\n * 4.29.7M and later releases in the 4.29.x train\n\nNote: Products 7280E and 7500E are EOL, and there are no released versions of EOS which fix the issue on those platforms."
}
],
"source": {
"advisory": "0096",
"defect": [
"BUG 862986"
],
"discovery": "INTERNAL"
},
"title": "On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, a malicious supplicant may bypass authentication.",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMitigation of this vulnerability requires disabling dot1x. Dot1x can be disabled globally using the following command:\u003c/p\u003e\u003cpre\u003eno dot1x system-auth-control\u003c/pre\u003e"
}
],
"value": "Mitigation of this vulnerability requires disabling dot1x. Dot1x can be disabled globally using the following command:\n\nno dot1x system-auth-control"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2023-5502",
"datePublished": "2026-06-04T22:39:34.101Z",
"dateReserved": "2023-10-10T15:58:04.589Z",
"dateUpdated": "2026-06-05T18:30:54.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6858 (GCVE-0-2024-6858)
Vulnerability from nvd – Published: 2026-06-04 21:51 – Updated: 2026-06-05 20:13
VLAI
EPSS
VEX
Title
In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.
Summary
In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1287 - Improper validation of specified type of input
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.31.0 , ≤ 4.31.1F
(custom)
Affected: 4.30.0 , ≤ 4.30.5M (custom) Affected: 4.29.0 , ≤ 4.29.7M (custom) Affected: 4.28.10 , ≤ 4.28.10.1M (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-6858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:13:55.762154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:13:59.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"720D Series",
"720XP/722XPM Series",
"750X Series",
"7010 Series",
"7010X Series",
"7020R Series",
"7130 Series running EOS",
"7150 Series",
"7160 Series",
"7170 Series",
"7050X/X2/X3/X4 Series",
"7060X/X2/X4/X5/X6 Series",
"7250X Series",
"7260X/X3 Series",
"7280E/R/R2/R3 Series",
"7300X/X3 Series",
"7320X Series",
"7358X4 Series",
"7368X4 Series",
"7388X5 Series",
"7500E/R/R2/R3 Series",
"7800R3 Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.31.1F",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.5M",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.7M",
"status": "affected",
"version": "4.29.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.10.1M",
"status": "affected",
"version": "4.28.10",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-6858, the following conditions must be met:\u003c/p\u003e\u003cp\u003e(1) dot1x should be configured on port as authenticator and port-control is auto mode and hostMode is multi-host. Please note the default host-mode is multi-host.\u003c/p\u003e\u003cpre\u003eswitch(config-if-et1)#show active\ninterface Ethernet1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u0026nbsp;\u0026nbsp;\u0026nbsp;dot1x pae authenticator\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;\u0026nbsp;dot1x port-control auto\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;\u0026nbsp;dot1x host-mode multi-host\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u003c/pre\u003e\u003cp\u003eAND\u003cbr\u003e(2) Fallback VLAN should be configured on port. Fallback VLAN can be configured in any of the following ways listed below;\u003c/p\u003e\u003cp\u003e(2-a) Global Configuration for unresponsive VLAN.\u003c/p\u003e\u003cpre\u003eswitch(config-dot1x)#show active\ndot1x\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u0026nbsp;\u0026nbsp;\u0026nbsp;aaa unresponsive action traffic allow vlan \u0026lt;vlan-id\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n \nOR\n \nswitch(config-dot1x)#show active\ndot1x\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u0026nbsp;\u0026nbsp;\u0026nbsp;aaa unresponsive action traffic allow\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eOR\u003cbr\u003e(2-b) Global Configuration for unresponsive phone VLAN.\u003c/div\u003e\u003cpre\u003eswitch(config-dot1x)#show active\ndot1x\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u0026nbsp;\u0026nbsp;\u0026nbsp;aaa unresponsive phone action traffic allow\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eOR\u003cbr\u003e(2-c) Global Configuration for guest VLAN.\u003c/div\u003e\u003cpre\u003eswitch(config-dot1x)#show active\ndot1x\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u0026nbsp;\u0026nbsp;\u0026nbsp;eapol unresponsive action traffic allow vlan \u0026lt;vlan-id\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eOR\u003cbr\u003e(2-d) Authentication failure VLAN configured on port.\u003c/div\u003e\u003cpre\u003eswitch(config-if-et1)#show active\ninterface Ethernet1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u0026nbsp;\u0026nbsp;\u0026nbsp;dot1x authentication failure action traffic allow vlan \u0026lt;vlan_id\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eOR\u003cbr\u003e(2-e) Unresponsive VLAN configured on port.\u003c/div\u003e\u003cpre\u003eswitch(config-if-et1)#show active\ninterface Ethernet1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u0026nbsp;\u0026nbsp;\u0026nbsp;dot1x aaa unresponsive action traffic allow vlan \u0026lt;vlan_id\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eOR\u003cbr\u003e(2-f) Unresponsive phone VLAN configured on port.\u003c/div\u003e\u003cpre\u003eswitch(config-if-et1)#show active\ninterface Ethernet1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\n\u0026nbsp;\u0026nbsp;\u0026nbsp;dot1x aaa unresponsive phone action traffic allow\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u2026\u2026\u2026\u2026\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2024-6858, the following conditions must be met:\n\n\n\n(1) dot1x should be configured on port as authenticator and port-control is auto mode and hostMode is multi-host. Please note the default host-mode is multi-host.\n\n\n\nswitch(config-if-et1)#show active\ninterface Ethernet1\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\u00a0\u00a0\u00a0dot1x pae authenticator\n\n\u00a0\u00a0\u00a0dot1x port-control auto\n\n\u00a0\u00a0\u00a0dot1x host-mode multi-host\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\n\n\n\nAND\n(2) Fallback VLAN should be configured on port. Fallback VLAN can be configured in any of the following ways listed below;\n\n\n\n(2-a) Global Configuration for unresponsive VLAN.\n\n\n\nswitch(config-dot1x)#show active\ndot1x\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\u00a0\u00a0\u00a0aaa unresponsive action traffic allow vlan \u003cvlan-id\u003e\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n \nOR\n \nswitch(config-dot1x)#show active\ndot1x\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\u00a0\u00a0\u00a0aaa unresponsive action traffic allow\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\n\n\u00a0\n\nOR\n(2-b) Global Configuration for unresponsive phone VLAN.\n\n\n\nswitch(config-dot1x)#show active\ndot1x\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\u00a0\u00a0\u00a0aaa unresponsive phone action traffic allow\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\n\n\u00a0\n\nOR\n(2-c) Global Configuration for guest VLAN.\n\n\n\nswitch(config-dot1x)#show active\ndot1x\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\u00a0\u00a0\u00a0eapol unresponsive action traffic allow vlan \u003cvlan-id\u003e\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\n\n\u00a0\n\nOR\n(2-d) Authentication failure VLAN configured on port.\n\n\n\nswitch(config-if-et1)#show active\ninterface Ethernet1\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\u00a0\u00a0\u00a0dot1x authentication failure action traffic allow vlan \u003cvlan_id\u003e\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\n\n\u00a0\n\nOR\n(2-e) Unresponsive VLAN configured on port.\n\n\n\nswitch(config-if-et1)#show active\ninterface Ethernet1\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\u00a0\u00a0\u00a0dot1x aaa unresponsive action traffic allow vlan \u003cvlan_id\u003e\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\n\n\u00a0\n\nOR\n(2-f) Unresponsive phone VLAN configured on port.\n\n\n\nswitch(config-if-et1)#show active\ninterface Ethernet1\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026\n\u00a0\u00a0\u00a0dot1x aaa unresponsive phone action traffic allow\n\u00a0\u00a0\u00a0\u2026\u2026\u2026\u2026"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Arista\u2019s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN."
}
],
"value": "In Arista\u2019s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287 Improper validation of specified type of input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T21:51:08.709Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19917-security-advisory-0103"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2024-6858 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.31.2F and later releases in the 4.31.x train.\u003c/li\u003e\u003cli\u003e4.30.6M and later releases in the 4.30.x train.\u003c/li\u003e\u003cli\u003e4.29.8M and later releases in the 4.29.x train.\u003c/li\u003e\u003cli\u003e4.28.11M and later releases in the 4.28.x train.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u00a0 EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-6858 has been fixed in the following releases:\n\n * 4.31.2F and later releases in the 4.31.x train.\n * 4.30.6M and later releases in the 4.30.x train.\n * 4.29.8M and later releases in the 4.29.x train.\n * 4.28.11M and later releases in the 4.28.x train."
}
],
"source": {
"advisory": "103",
"defect": [
"BUG 828435"
],
"discovery": "INTERNAL"
},
"title": "In Arista\u2019s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThis vulnerability arises when there is an EAPOL supplicant in any of the fallback VLAN\u2019s ( i.e. auth-fail, unresponsive VLAN ). If only unauthenticated EAPOL supplicants are expected the admin can change dot1x host-mode to single-host as indicated below.\u003c/p\u003e\u003cpre\u003eswitch(config-if-et1)#dot1x host-mode single-host\n\u003c/pre\u003e\u003cul\u003e\u003cli\u003eDot1x Host Mode\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eSingle Host Mode: Please note when once the 802.1X supplicant is authenticated on the port, ONLY the traffic coming from the supplicant\u0027s MAC is allowed through the port.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eMulti-Host Mode: Once the 802.1X supplicant is authenticated on the port, traffic coming from ANY source MAC is allowed through the port.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eMulti-Host authenticated Mode: Multiple 802.1X supplicants can be allowed and ONLY the traffic coming from all authenticated supplicant\u2019s MAC is allowed through the port.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "This vulnerability arises when there is an EAPOL supplicant in any of the fallback VLAN\u2019s ( i.e. auth-fail, unresponsive VLAN ). If only unauthenticated EAPOL supplicants are expected the admin can change dot1x host-mode to single-host as indicated below.\n\n\n\nswitch(config-if-et1)#dot1x host-mode single-host\n\n\n * Dot1x Host Mode\n * \n\nSingle Host Mode: Please note when once the 802.1X supplicant is authenticated on the port, ONLY the traffic coming from the supplicant\u0027s MAC is allowed through the port.\n\n\n * \n\nMulti-Host Mode: Once the 802.1X supplicant is authenticated on the port, traffic coming from ANY source MAC is allowed through the port.\n\n\n * \n\nMulti-Host authenticated Mode: Multiple 802.1X supplicants can be allowed and ONLY the traffic coming from all authenticated supplicant\u2019s MAC is allowed through the port."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-6858",
"datePublished": "2026-06-04T21:51:08.709Z",
"dateReserved": "2024-07-17T20:13:57.799Z",
"dateUpdated": "2026-06-05T20:13:59.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25624 (GCVE-0-2026-25624)
Vulnerability from cvelistv5 – Published: 2026-06-05 19:34 – Updated: 2026-06-05 20:28
VLAI
EPSS
VEX
Title
Arista Edge Threat Management NGFW UI Administrative Cross-Site Scripting
Summary
An administrative cross-site scripting (XSS) vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processing behavior controls.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-Site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) |
Affected:
0 , ≤ 17.4.0
(custom)
|
Date Public
2026-02-03 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:27:35.700216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:28:03.806Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle)"
],
"product": "Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "17.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA successful attack requires administrative privileges to target UI entry forms and relies on session interaction parsing from a secondary administrator browser window.\u003c/p\u003e"
}
],
"value": "A successful attack requires administrative privileges to target UI entry forms and relies on session interaction parsing from a secondary administrator browser window."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Williams \u0026 Ronan Kervella from Bishop Fox"
}
],
"datePublic": "2026-02-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn administrative cross-site scripting (XSS) vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processing behavior controls.\u003c/p\u003e"
}
],
"value": "An administrative cross-site scripting (XSS) vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processing behavior controls."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-Site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:34:37.618Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23399-security-advisory-0133"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience."
}
],
"source": {
"advisory": "0133",
"defect": [
"NGFW-15492"
],
"discovery": "EXTERNAL"
},
"title": "Arista Edge Threat Management NGFW UI Administrative Cross-Site Scripting",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePer operational best practice security models, do not allow unauthorized administrative access to the administrative browser.\u003c/p\u003e"
}
],
"value": "Per operational best practice security models, do not allow unauthorized administrative access to the administrative browser."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-25624",
"datePublished": "2026-06-05T19:34:37.618Z",
"dateReserved": "2026-02-03T22:23:04.359Z",
"dateUpdated": "2026-06-05T20:28:03.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25623 (GCVE-0-2026-25623)
Vulnerability from cvelistv5 – Published: 2026-06-05 19:31 – Updated: 2026-06-05 20:27
VLAI
EPSS
VEX
Title
Arista Edge Threat Management NGFW UI Arbitrary Command Execution
Summary
An input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Authenticated administrators can leverage this exposure to obtain underlying terminal script code processing execution permissions.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) |
Affected:
0 , ≤ 17.4.0
(custom)
|
Date Public
2026-02-03 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:27:12.326159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:27:23.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle)"
],
"product": "Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "17.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA successful attack requires high-privileged authenticated management interface configuration access to the NGFW web platform.\u003c/p\u003e"
}
],
"value": "A successful attack requires high-privileged authenticated management interface configuration access to the NGFW web platform."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Williams \u0026 Ronan Kervella from Bishop Fox"
}
],
"datePublic": "2026-02-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Authenticated administrators can leverage this exposure to obtain underlying terminal script code processing execution permissions.\u003c/p\u003e"
}
],
"value": "An input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Authenticated administrators can leverage this exposure to obtain underlying terminal script code processing execution permissions."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:31:49.749Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23399-security-advisory-0133"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience."
}
],
"source": {
"advisory": "0133",
"defect": [
"NGFW-15490"
],
"discovery": "EXTERNAL"
},
"title": "Arista Edge Threat Management NGFW UI Arbitrary Command Execution",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePer operational best practice security models, do not allow unauthorized administrative access to the administrative browser.\u003c/p\u003e"
}
],
"value": "Per operational best practice security models, do not allow unauthorized administrative access to the administrative browser."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-25623",
"datePublished": "2026-06-05T19:31:49.749Z",
"dateReserved": "2026-02-03T22:23:04.359Z",
"dateUpdated": "2026-06-05T20:27:23.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25622 (GCVE-0-2026-25622)
Vulnerability from cvelistv5 – Published: 2026-06-05 19:29 – Updated: 2026-06-05 20:26
VLAI
EPSS
VEX
Title
Arista Edge Threat Management NGFW Captive Portal Custom Handler Command Injection
Summary
A Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an administrative account logged into the user interface can exploit this input handling behavior to execute arbitrary platform shell commands.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) |
Affected:
0 , ≤ 17.4.0
(custom)
|
Date Public
2026-02-03 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:26:51.450858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:26:59.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle)"
],
"product": "Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "17.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA successful attack requires authenticated administrative interface access rights over the targeted NGFW UI deployment endpoint.\u003c/p\u003e"
}
],
"value": "A successful attack requires authenticated administrative interface access rights over the targeted NGFW UI deployment endpoint."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Williams \u0026 Ronan Kervella from Bishop Fox"
}
],
"datePublic": "2026-02-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an administrative account logged into the user interface can exploit this input handling behavior to execute arbitrary platform shell commands.\u003c/p\u003e"
}
],
"value": "A Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an administrative account logged into the user interface can exploit this input handling behavior to execute arbitrary platform shell commands."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:29:57.126Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23399-security-advisory-0133"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience."
}
],
"source": {
"advisory": "0133",
"defect": [
"NGFW-15494"
],
"discovery": "EXTERNAL"
},
"title": "Arista Edge Threat Management NGFW Captive Portal Custom Handler Command Injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePer operational best practice security models, do not allow unauthorized administrative access to the administrative browser.\u003c/p\u003e"
}
],
"value": "Per operational best practice security models, do not allow unauthorized administrative access to the administrative browser."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-25622",
"datePublished": "2026-06-05T19:29:57.126Z",
"dateReserved": "2026-02-03T22:23:04.359Z",
"dateUpdated": "2026-06-05T20:26:59.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25621 (GCVE-0-2026-25621)
Vulnerability from cvelistv5 – Published: 2026-06-05 19:28 – Updated: 2026-06-05 20:26
VLAI
EPSS
VEX
Title
Arista Edge Threat Management NGFW Reports Application Insecure Input Validation
Summary
A Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects version 17.4.0; earlier software releases are not exposed.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) |
Affected:
17.4.0
(custom)
|
Date Public
2026-02-03 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:26:29.068961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:26:36.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle)"
],
"product": "Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)",
"vendor": "Arista Networks",
"versions": [
{
"status": "affected",
"version": "17.4.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable, the following cumulative conditions must be satisfied:\u003c/p\u003e\u003col\u003e\u003cli\u003eAn NGFW system running exactly version 17.4.0.\u003c/li\u003e\u003cli\u003eSuccessful administrative interface access authentication privileges verified.\u003c/li\u003e\u003cli\u003eNavigation to the Reports application dashboard under the Data subsystem.\u003c/li\u003e\u003cli\u003eProcessing an upload interaction within the Import/Restore Data Backup Files field utilizing a specially crafted malicious input file.\u003c/li\u003e\u003c/ol\u003e"
}
],
"value": "In order to be vulnerable, the following cumulative conditions must be satisfied:\n\n * An NGFW system running exactly version 17.4.0.\n * Successful administrative interface access authentication privileges verified.\n * Navigation to the Reports application dashboard under the Data subsystem.\n * Processing an upload interaction within the Import/Restore Data Backup Files field utilizing a specially crafted malicious input file."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Williams \u0026 Ronan Kervella from Bishop Fox"
}
],
"datePublic": "2026-02-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects version 17.4.0; earlier software releases are not exposed.\u003c/p\u003e"
}
],
"value": "A Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects version 17.4.0; earlier software releases are not exposed."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:28:13.886Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23399-security-advisory-0133"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience."
}
],
"source": {
"advisory": "0133",
"defect": [
"NGFW-15491"
],
"discovery": "EXTERNAL"
},
"title": "Arista Edge Threat Management NGFW Reports Application Insecure Input Validation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePer operational best practice security models, do not allow unauthorized administrative access to the administrative browser.\u003c/p\u003e"
}
],
"value": "Per operational best practice security models, do not allow unauthorized administrative access to the administrative browser."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-25621",
"datePublished": "2026-06-05T19:28:13.886Z",
"dateReserved": "2026-02-03T22:23:04.359Z",
"dateUpdated": "2026-06-05T20:26:36.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25620 (GCVE-0-2026-25620)
Vulnerability from cvelistv5 – Published: 2026-06-05 19:26 – Updated: 2026-06-05 20:23
VLAI
EPSS
VEX
Title
Arista Edge Threat Management NGFW Captive Portal Encrypted Password Command Injection
Summary
An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier software releases are not exposed.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) |
Affected:
17.4.0
(custom)
|
Date Public
2026-02-03 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25620",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T20:23:23.730510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T20:23:31.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle)"
],
"product": "Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)",
"vendor": "Arista Networks",
"versions": [
{
"status": "affected",
"version": "17.4.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable, the following cumulative conditions must be satisfied:\u003c/p\u003e\u003col\u003e\u003cli\u003eAn NGFW system running exactly version 17.4.0.\u003c/li\u003e\u003cli\u003eThe system administrator must navigate to the Captive Portal application interface.\u003c/li\u003e\u003cli\u003eThe Captive Portal application must be actively installed and enabled.\u003c/li\u003e\u003cli\u003eCaptive Portal Basic Login validation control must be enabled.\u003c/li\u003e\u003c/ol\u003e"
}
],
"value": "In order to be vulnerable, the following cumulative conditions must be satisfied:\n\n * An NGFW system running exactly version 17.4.0.\n * The system administrator must navigate to the Captive Portal application interface.\n * The Captive Portal application must be actively installed and enabled.\n * Captive Portal Basic Login validation control must be enabled."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Williams \u0026 Ronan Kervella from Bishop Fox"
}
],
"datePublic": "2026-02-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier software releases are not exposed.\u003c/p\u003e"
}
],
"value": "An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier software releases are not exposed."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:26:36.797Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22867-security-advisory-0133"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience."
}
],
"source": {
"advisory": "0133",
"defect": [
"NGFW-15493"
],
"discovery": "EXTERNAL"
},
"title": "Arista Edge Threat Management NGFW Captive Portal Encrypted Password Command Injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf managing an active NGFW 17.4.0 deployment, disable the Captive Portal Basic Login configuration profile parameter.\u003c/p\u003e"
}
],
"value": "If managing an active NGFW 17.4.0 deployment, disable the Captive Portal Basic Login configuration profile parameter."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-25620",
"datePublished": "2026-06-05T19:26:36.797Z",
"dateReserved": "2026-02-03T22:23:04.359Z",
"dateUpdated": "2026-06-05T20:23:31.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2379 (GCVE-0-2026-2379)
Vulnerability from cvelistv5 – Published: 2026-06-05 17:59 – Updated: 2026-06-09 14:36
VLAI
EPSS
VEX
Title
Arista EOS IPsec Tunnel Sequence Number Mismatch via Interface Flaps when Anti-Replay is Disabled
Summary
On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-672 - Operation on a Resource after Expiration or Release
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.34.0 , ≤ 4.34.3M
(custom)
Affected: 4.33.0M , ≤ 4.33.5M (custom) Affected: 4.32.0M , ≤ 4.32.7M (custom) Affected: 4.31.0M , ≤ 4.31.9M (custom) Affected: 4.30.0F , < 4.31.0 (custom) Affected: 4.29.0F , < 4.30.0 (custom) Affected: 4.28.0F , < 4.29.0 (custom) Affected: 4.27.1F , < 4.28.0 (custom) |
Date Public
2026-02-17 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:15:34.481934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:36:39.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"7280R3 Series with IPsec (DCS-7280SR3AK",
"DCS-7280SR3AM",
"DCS-7280CR3AK",
"DCS-7280CR3AM",
"DCS-7280CR3MK",
"DCS-7280DR3AK",
"DCS-7280DR3AM",
"DCS-7289R3AK-SC",
"DCS-7289R3AM-SC)",
"7800R3 Series with IPsec (7800R3A-36DM-LC",
"7800R3AK-36DM-LC",
"7800R3A-36PM-LC",
"7800R3AK-36PM-LC",
"7800R3A-36DM2-LC",
"7800R3AK-36DM2-LC)",
"AWE 7000 Series with IPsec (AWE-7250R-16S-F",
"AWE-7230R-4TX-4S-F",
"AWE-7220RP-5TH-2S-F)",
"AWE 5000 Series with IPsec (AWE-5510",
"AWE-5310)",
"CloudEOS VM"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.3M",
"status": "affected",
"version": "4.34.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.5M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.7M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.9M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0F",
"versionType": "custom"
},
{
"lessThan": "4.30.0",
"status": "affected",
"version": "4.29.0F",
"versionType": "custom"
},
{
"lessThan": "4.29.0",
"status": "affected",
"version": "4.28.0F",
"versionType": "custom"
},
{
"lessThan": "4.28.0",
"status": "affected",
"version": "4.27.1F",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2026-2379, the IPsec\u0026nbsp;\u003cb\u003eanti-replay detection\u003c/b\u003e\u0026nbsp;feature must be disabled. The IPsec anti-replay detection feature is enabled by default when IPsec is enabled in Arista EOS.\u003c/p\u003e\u003cp\u003eThe field \u201c\u003cb\u003eReplay window size\u003c/b\u003e\u201d in the output of the command \u201c\u003cb\u003eshow ip sec connection detail\u003c/b\u003e\u201d can be used to verify whether anti-replay is enabled or disabled. A non-zero replay window size indicates that anti-replay detection is enabled.\u003c/p\u003e\u003cpre\u003eswitch#show ip sec connection detail\nTunnel0:\n\u0026nbsp;\u0026nbsp;Source address: 2.0.0.1, Destination address: 2.0.0.2\n\u0026nbsp;\u0026nbsp;State: established\n\u0026nbsp;\u0026nbsp;Uptime: 31 minutes, 49 seconds\n\u0026nbsp;\u0026nbsp;VRF: default\n\u0026nbsp;\u0026nbsp;Inbound SPI: 0xcc09b0d4:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Request ID: 312, Mode: tunnel, \u003cb\u003eReplay window size: 16384\u003c/b\u003e, Seq: 0x0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Errors:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime config:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft byte limit: 3728539143000, Hard byte limit: 6442450944000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft packet limit: 2101671584, Hard packet limit: 4000000000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft time limit: 2657 secs, Hard time limit: 3600 secs\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime current:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current bytes: 461294305\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current packets: 391481\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA add time: Mon Jul\u0026nbsp; 8 00:49:52 2024\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA last use time: Mon Jul\u0026nbsp; 8 01:21:34 2024\n\u0026nbsp;\u0026nbsp;Outbound SPI: 0xc7869a84:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Request ID: 312, Mode: tunnel, Replay window size: 0, Seq: 0x0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Errors:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime config:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft byte limit: 3616989511500, Hard byte limit: 6442450944000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft packet limit: 2653085513, Hard packet limit: 4000000000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft time limit: 2565 secs, Hard time limit: 3600 secs\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime current:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current bytes: 1421924689\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current packets: 1207796\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA add time: Mon Jul\u0026nbsp; 8 00:49:52 2024\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA last use time: Mon Jul\u0026nbsp; 8 01:21:34 2024\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIn the example above, the replay window size is non-zero which indicates that anti-replay detection is enabled.\u003c/p\u003e\u003cp\u003eIf anti-replay detection is enabled, then the vulnerability is not present. The IPsec anti-replay detection feature is disabled with the following configuration:\u003c/p\u003e\u003cpre\u003eswitch(config)# ip security\nswitch(config-ipsec)# sa policy sa1\nswitch(config-ipsec-sa1)# no anti-replay detection\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2026-2379, the IPsec\u00a0anti-replay detection\u00a0feature must be disabled. The IPsec anti-replay detection feature is enabled by default when IPsec is enabled in Arista EOS.\n\n\n\nThe field \u201cReplay window size\u201d in the output of the command \u201cshow ip sec connection detail\u201d can be used to verify whether anti-replay is enabled or disabled. A non-zero replay window size indicates that anti-replay detection is enabled.\n\n\n\nswitch#show ip sec connection detail\nTunnel0:\n\u00a0\u00a0Source address: 2.0.0.1, Destination address: 2.0.0.2\n\u00a0\u00a0State: established\n\u00a0\u00a0Uptime: 31 minutes, 49 seconds\n\u00a0\u00a0VRF: default\n\u00a0\u00a0Inbound SPI: 0xcc09b0d4:\n\u00a0\u00a0\u00a0\u00a0Request ID: 312, Mode: tunnel, Replay window size: 16384, Seq: 0x0\n\u00a0\u00a0\u00a0\u00a0Errors:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u00a0\u00a0\u00a0\u00a0Lifetime config:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft byte limit: 3728539143000, Hard byte limit: 6442450944000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft packet limit: 2101671584, Hard packet limit: 4000000000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft time limit: 2657 secs, Hard time limit: 3600 secs\n\u00a0\u00a0\u00a0\u00a0Lifetime current:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current bytes: 461294305\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current packets: 391481\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA add time: Mon Jul\u00a0 8 00:49:52 2024\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA last use time: Mon Jul\u00a0 8 01:21:34 2024\n\u00a0\u00a0Outbound SPI: 0xc7869a84:\n\u00a0\u00a0\u00a0\u00a0Request ID: 312, Mode: tunnel, Replay window size: 0, Seq: 0x0\n\u00a0\u00a0\u00a0\u00a0Errors:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u00a0\u00a0\u00a0\u00a0Lifetime config:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft byte limit: 3616989511500, Hard byte limit: 6442450944000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft packet limit: 2653085513, Hard packet limit: 4000000000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft time limit: 2565 secs, Hard time limit: 3600 secs\n\u00a0\u00a0\u00a0\u00a0Lifetime current:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current bytes: 1421924689\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current packets: 1207796\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA add time: Mon Jul\u00a0 8 00:49:52 2024\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA last use time: Mon Jul\u00a0 8 01:21:34 2024\n\n\n\u00a0\n\n\n\nIn the example above, the replay window size is non-zero which indicates that anti-replay detection is enabled.\n\n\n\nIf anti-replay detection is enabled, then the vulnerability is not present. The IPsec anti-replay detection feature is disabled with the following configuration:\n\n\n\nswitch(config)# ip security\nswitch(config-ipsec)# sa policy sa1\nswitch(config-ipsec-sa1)# no anti-replay detection"
}
],
"datePublic": "2026-02-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication.\u003c/p\u003e"
}
],
"value": "On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication."
}
],
"impacts": [
{
"capecId": "CAPEC-60",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-60 Reusing Session Tokens"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672: Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:59:40.999Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23419-security-advisory-0134"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003c/p\u003e\u003cp\u003eFor more information about upgrading see: \u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCVE-2026-2379 has been fixed in the following releases:\u003c/p\u003e\u003cul\u003e\u003cli\u003e4.35.0F and later releases in the 4.35.x train\u003c/li\u003e\u003cli\u003e4.34.4M and later releases in the 4.34.x train\u003c/li\u003e\u003cli\u003e4.33.6M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.8M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.10M and later releases in the 4.31.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\n\n\n\nFor more information about upgrading see: EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\n\n\nCVE-2026-2379 has been fixed in the following releases:\n\n * 4.35.0F and later releases in the 4.35.x train\n * 4.34.4M and later releases in the 4.34.x train\n * 4.33.6M and later releases in the 4.33.x train\n * 4.32.8M and later releases in the 4.32.x train\n * 4.31.10M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "0134",
"defect": [
"BUG 1188976"
],
"discovery": "INTERNAL"
},
"title": "Arista EOS IPsec Tunnel Sequence Number Mismatch via Interface Flaps when Anti-Replay is Disabled",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is no known mitigation for CVE-2026-2379. The recommended resolution is to upgrade to a remediated software version at your earliest convenience.\u003c/p\u003e"
}
],
"value": "There is no known mitigation for CVE-2026-2379. The recommended resolution is to upgrade to a remediated software version at your earliest convenience."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-2379",
"datePublished": "2026-06-05T17:59:40.999Z",
"dateReserved": "2026-02-11T21:25:16.721Z",
"dateUpdated": "2026-06-09T14:36:39.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7473 (GCVE-0-2026-7473)
Vulnerability from cvelistv5 – Published: 2026-06-05 16:22 – Updated: 2026-06-10 03:57Title
Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass
Summary
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.
This issue has been reported as being exploited in the wild.
Severity
5.8 (Medium)
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1023 - Incomplete Comparison with Missing Factors
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.36.0
(custom)
Affected: 4.35.0 , ≤ 4.35 (custom) Affected: 4.34.0 , ≤ 4.34 (custom) Affected: 4.33.0 , ≤ 4.33 (custom) Affected: 4.32.0 , ≤ 4.32 (custom) Affected: 4.31.0 , ≤ 4.31 (custom) Affected: * , ≤ 4.30 (custom) |
Date Public
2026-05-05 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7473",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-06-09",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:57:41.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-09T00:00:00.000Z",
"value": "CVE-2026-7473 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"7020R Series",
"7280R/R2 Series",
"7500R/R2 Series",
"7280R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)",
"7500R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)",
"7800R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"status": "affected",
"version": "4.36.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.35",
"status": "affected",
"version": "4.35.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.34",
"status": "affected",
"version": "4.34.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33",
"status": "affected",
"version": "4.33.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32",
"status": "affected",
"version": "4.32.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2026-7473, the following condition must be met:\u003c/p\u003e\u003cp\u003eThe device must be configured as a tunnel endpoint with a decapsulation IP \u2014 for example, as a VXLAN VTEP, a GRE tunnel endpoint, or with an ip decap-group.\u003c/p\u003e\u003cp\u003eA device configured to decapsulate one tunnel type will also incorrectly accept and decapsulate other tunnel protocols destined to the same IP address, even if those protocols were not explicitly configured. The following table summarizes which additional tunnel types a device will decapsulate based on its configured decapsulation type (note that some cases require extra protocol specific configurations for traffic to be decapsulated). Note that in all cases the inner header could be IPv4 or IPv6.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eNote on Platforms:\u003c/b\u003e\u003c/div\u003e\u003cul\u003e\u003cli\u003eAll scenarios below apply to 7020R Series, 7280R/R2 Series, and 7500R/R2 Series.\u003c/li\u003e\u003cli\u003eOnly the IP-in-IPv6 and GUE IPV6 Decap Group scenarios apply to 7280R3 Series, 7500R3 Series, and 7800R3 Series.\u003c/li\u003e\u003c/ul\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003cth\u003eConfigured decapsulation tunnel type\u003c/th\u003e\u003cth\u003eUnexpected decapsulation of tunnel type traffic to configured decap IP\u003c/th\u003e\u003cth\u003eAdditional configurations required for exploitation\u003c/th\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"2\"\u003eVXLAN IPv4 Tunnel Interface\u003c/td\u003e\u003ctd\u003eGRE, IPoIP\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNVGRE\u003c/td\u003e\u003ctd\u003eTNI in NVGRE packet must match a VXLAN VNI configured on switch\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"3\"\u003eGRE IPv4 Tunnel Interface\u003c/td\u003e\u003ctd\u003eVXLAN\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) and VNI mapping must be configured\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGeneric UDP Encapsulation (GUE)\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured. Both source and destination IP must match GRE tunnel configuration.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIPoIP\u003c/td\u003e\u003ctd\u003eBoth source and destination IP must match GRE tunnel configuration.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"4\"\u003eGRE IPv4 Decap Group\u003c/td\u003e\u003ctd\u003eIPoIP\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVXLAN\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) and VNI mapping must be configured\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNVGRE\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VXLAN VNI configured on switch.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE IPv4 Decap Group\u003c/td\u003e\u003ctd\u003eGRE, IPoIP\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"4\"\u003eIP-in-IPv4 Decap Group\u003c/td\u003e\u003ctd\u003eGRE\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNVGRE\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VNI configured on switch.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVXLAN\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) and VNI mapping must be configured\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"2\"\u003eIP-in-IPv6 Decap Group\u003c/td\u003e\u003ctd\u003eGREv6\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUEv6\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE IPv6 Decap Group\u003c/td\u003e\u003ctd\u003eIP-in-IPv6, GREv6\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "In order to be vulnerable to CVE-2026-7473, the following condition must be met:\n\n\n\nThe device must be configured as a tunnel endpoint with a decapsulation IP \u2014 for example, as a VXLAN VTEP, a GRE tunnel endpoint, or with an ip decap-group.\n\n\n\nA device configured to decapsulate one tunnel type will also incorrectly accept and decapsulate other tunnel protocols destined to the same IP address, even if those protocols were not explicitly configured. The following table summarizes which additional tunnel types a device will decapsulate based on its configured decapsulation type (note that some cases require extra protocol specific configurations for traffic to be decapsulated). Note that in all cases the inner header could be IPv4 or IPv6.\n\nNote on Platforms:\n\n * All scenarios below apply to 7020R Series, 7280R/R2 Series, and 7500R/R2 Series.\n * Only the IP-in-IPv6 and GUE IPV6 Decap Group scenarios apply to 7280R3 Series, 7500R3 Series, and 7800R3 Series.\n\n\nConfigured decapsulation tunnel typeUnexpected decapsulation of tunnel type traffic to configured decap IPAdditional configurations required for exploitationVXLAN IPv4 Tunnel InterfaceGRE, IPoIPNoneNVGRETNI in NVGRE packet must match a VXLAN VNI configured on switchGRE IPv4 Tunnel InterfaceVXLANVXLAN Tunnel Interface (VTI) and VNI mapping must be configuredGeneric UDP Encapsulation (GUE)GUE Decap Group and relevant UDP destination port to payload mapping must be configured. Both source and destination IP must match GRE tunnel configuration.IPoIPBoth source and destination IP must match GRE tunnel configuration.GRE IPv4 Decap GroupIPoIPNoneVXLANVXLAN Tunnel Interface (VTI) and VNI mapping must be configuredGUEGUE Decap Group and relevant UDP destination port to payload mapping must be configured.NVGREVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VXLAN VNI configured on switch.GUE IPv4 Decap GroupGRE, IPoIPNoneIP-in-IPv4 Decap GroupGRENoneNVGREVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VNI configured on switch.VXLANVXLAN Tunnel Interface (VTI) and VNI mapping must be configuredGUEGUE Decap Group and relevant UDP destination port to payload mapping must be configured.IP-in-IPv6 Decap GroupGREv6NoneGUEv6GUE Decap Group and relevant UDP destination port to payload mapping must be configured.GUE IPv6 Decap GroupIP-in-IPv6, GREv6None"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo check if the device is acting as a VXLAN VTEP:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show interfaces vxlan 1\n\u0026nbsp;Vxlan1 is up, line protocol is up (connected)\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Source interface is Loopback1 and is active with 10.0.0.1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Listening on UDP port 4789\n\u0026nbsp;\u0026nbsp;\u0026nbsp;...\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf the output contains \u201c\u003cb\u003eSource interface is \u0026lt;interface\u0026gt; and is active with \u0026lt;IP\u0026gt;\u003c/b\u003e\u201d, the device is acting as a VXLAN VTEP with \u0026lt;IP\u0026gt; as the tunnel termination address, and is potentially impacted.\u003c/p\u003e\u003cp\u003eTo check if a GRE tunnel interface is configured:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show interfaces Tunnel0\n\u0026nbsp;Tunnel0 is up, line protocol is up\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Hardware is Tunnel\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Tunnel source 1.1.1.1, destination 1.1.1.2\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Tunnel protocol/transport GRE/IP\n\u0026nbsp;\u0026nbsp;\u0026nbsp;...\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf the tunnel interface is up with a source and destination, the device is a GRE tunnel endpoint and is potentially impacted.\u003c/p\u003e\u003cp\u003eTo check if decap-groups are configured:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show ip decap-group\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf none of the above outputs show the presence of any tunnel endpoint configurations, the device does not perform tunnel decapsulation and is not exposed to this issue.\u003c/p\u003e"
}
],
"value": "To check if the device is acting as a VXLAN VTEP:\n\n\n\nswitch\u003eshow interfaces vxlan 1\n\u00a0Vxlan1 is up, line protocol is up (connected)\n\u00a0\u00a0\u00a0Source interface is Loopback1 and is active with 10.0.0.1\n\u00a0\u00a0\u00a0Listening on UDP port 4789\n\u00a0\u00a0\u00a0...\n\n\n\u00a0\n\n\n\nIf the output contains \u201cSource interface is \u003cinterface\u003e and is active with \u003cIP\u003e\u201d, the device is acting as a VXLAN VTEP with \u003cIP\u003e as the tunnel termination address, and is potentially impacted.\n\n\n\nTo check if a GRE tunnel interface is configured:\n\n\n\nswitch\u003eshow interfaces Tunnel0\n\u00a0Tunnel0 is up, line protocol is up\n\u00a0\u00a0\u00a0Hardware is Tunnel\n\u00a0\u00a0\u00a0Tunnel source 1.1.1.1, destination 1.1.1.2\n\u00a0\u00a0\u00a0Tunnel protocol/transport GRE/IP\n\u00a0\u00a0\u00a0...\n\n\n\u00a0\n\n\n\nIf the tunnel interface is up with a source and destination, the device is a GRE tunnel endpoint and is potentially impacted.\n\n\n\nTo check if decap-groups are configured:\n\n\n\nswitch\u003eshow ip decap-group\n\n\n\u00a0\n\n\n\nIf none of the above outputs show the presence of any tunnel endpoint configurations, the device does not perform tunnel decapsulation and is not exposed to this issue."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis at Comcast"
}
],
"datePublic": "2026-05-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn affected platforms running Arista EOS where a tunnel decapsulation configuration\u2014such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface\u2014is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.\u003c/p\u003e\u003cp\u003eThis issue has been reported as being exploited in the wild.\u003c/p\u003e"
}
],
"value": "On affected platforms running Arista EOS where a tunnel decapsulation configuration\u2014such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface\u2014is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.\n\n\n\nThis issue has been reported as being exploited in the wild."
}
],
"impacts": [
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1023",
"description": "CWE-1023: Incomplete Comparison with Missing Factors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T16:22:47.989Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNo software upgrade path is planned to address this issue due to the risk of breaking existing configuration on deployments. The recommended resolution of this issue is to follow the appropriate mitigation instructions detailed in the workaround block.\u003c/p\u003e"
}
],
"value": "No software upgrade path is planned to address this issue due to the risk of breaking existing configuration on deployments. The recommended resolution of this issue is to follow the appropriate mitigation instructions detailed in the workaround block."
}
],
"source": {
"advisory": "0137",
"defect": [
"BUG1086442",
"BUG1519884"
],
"discovery": "EXTERNAL"
},
"title": "Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere are two broad approaches to mitigate this issue - (1) applying ACLs on upstream devices or (2) applying ACLs on the devices where the unexpected decapsulation is happening. In both cases, the idea is to either selectively allow only legitimate tunnel traffic or to selectively block malicious tunnel traffic. For example, if a network is configured to forward VXLAN traffic, but GRE traffic is being unexpectedly forwarded, then ACLs can be used to either selectively allow just VXLAN traffic or selectively block GRE traffic. More details about using the ACL feature can be found in the\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1150869\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eArista User Manual\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eA note of caution, the following ACL-based mitigation recommendations assume that the tunnel IP is dedicated solely to receiving the configured tunnel protocol traffic. When adapting these rules for your environment, it is important to explicitly permit any additional protocol traffic\u2014such as BGP or SSH\u2014if that IP serves multiple functions. To maintain connectivity, ensure these permit statements are sequenced before any deny statements directed at the decapsulation IP.\u003c/p\u003e\u003cp\u003eThe following configurations align with the recommendations outlined in the\u0026nbsp;\u003ca href=\"https://arista.my.site.com/AristaCommunity/s/article/arista-eos-hardening-guide#Comm_Kna_ka0Uw00000097VJIAY_71\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eArista EOS Hardening Guide\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "There are two broad approaches to mitigate this issue - (1) applying ACLs on upstream devices or (2) applying ACLs on the devices where the unexpected decapsulation is happening. In both cases, the idea is to either selectively allow only legitimate tunnel traffic or to selectively block malicious tunnel traffic. For example, if a network is configured to forward VXLAN traffic, but GRE traffic is being unexpectedly forwarded, then ACLs can be used to either selectively allow just VXLAN traffic or selectively block GRE traffic. More details about using the ACL feature can be found in the\u00a0 Arista User Manual https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1150869 .\n\n\n\nA note of caution, the following ACL-based mitigation recommendations assume that the tunnel IP is dedicated solely to receiving the configured tunnel protocol traffic. When adapting these rules for your environment, it is important to explicitly permit any additional protocol traffic\u2014such as BGP or SSH\u2014if that IP serves multiple functions. To maintain connectivity, ensure these permit statements are sequenced before any deny statements directed at the decapsulation IP.\n\n\n\nThe following configurations align with the recommendations outlined in the\u00a0 Arista EOS Hardening Guide https://arista.my.site.com/AristaCommunity/s/article/arista-eos-hardening-guide#Comm_Kna_ka0Uw00000097VJIAY_71 ."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eApproach 1 - Applying ACL on Upstream Switches\u003c/h3\u003e\u003cp\u003eOn upstream devices, applying ACLs to allow specific tunneled traffic is straightforward. ACLs can be applied that match on tunnel destination IP, the IP next protocol field, and (optionally) UDP destination port to selectively allow or block specific tunnel protocols.\u003c/p\u003e\u003cp\u003eExample ACLs for Arista EOS follows.\u003c/p\u003eACL to permit VXLANv4 Only\u003cp\u003eThis IPv4 ACL matches on VXLAN packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (17)\u003cbr\u003e(b) IP DIP = VXLAN VTEP IP\u003cbr\u003e(c) UDP destination port = VXLAN UDP Port (4789)\u003c/p\u003e\u003cp\u003eIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;vxlan-decap-ip\u0026gt; eq 4789\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny ip any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit ip any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GREv4 Only\u003cp\u003eThis IPv4 ACL matches on GRE packets as follows:\u003cbr\u003e(a) IP next protocol = GRE (47)\u003cbr\u003e(b) IP DIP = GRE Tunnel Destination IP\u003c/p\u003e\u003cp\u003eIt allows GRE packets and drops all other packets to the GRE Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit gre any host \u0026lt;gre-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny ip any host \u0026lt;gre-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit IP-in-IPv4 Only\u003cp\u003eThis IPv4 ACL matches on IP-in-IPv4 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP\u003c/p\u003e\u003cp\u003eIt allows IP-in-IPv4 packets and drops all other packets to the IP-in-IPv4 Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit 4 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit 41 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ip any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to Permit IP-in-IPv6 Only\u003cp\u003eThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP\u003c/p\u003e\u003cp\u003eIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit 4 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit 41 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GUEv4 Only\u003cp\u003eThis IPv4 ACL matches on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (17)\u003cbr\u003e(b) IP DIP = GUE Decap IP\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; \u0026nbsp;\u0026nbsp;\u0026nbsp;(IP = Y or MPLS = Z)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;decap-ip\u0026gt; eq Y\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit udp any host \u0026lt;decap-ip\u0026gt; eq Z\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ip any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ip any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to Permit GUEv6 Only\u003cp\u003eThis IPv6 ACL matches on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (17)\u003cbr\u003e(b) IP DIP = GUE Decap IP\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; (IP = Y or MPLS = Z)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;decap-ip\u0026gt; eq Y\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit udp any host \u0026lt;decap-ip\u0026gt; eq Z\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\u003c/pre\u003e"
}
],
"value": "Approach 1 - Applying ACL on Upstream Switches\n\nOn upstream devices, applying ACLs to allow specific tunneled traffic is straightforward. ACLs can be applied that match on tunnel destination IP, the IP next protocol field, and (optionally) UDP destination port to selectively allow or block specific tunnel protocols.\n\n\n\nExample ACLs for Arista EOS follows.\n\nACL to permit VXLANv4 Only\n\nThis IPv4 ACL matches on VXLAN packets as follows:\n(a) IP next protocol = UDP (17)\n(b) IP DIP = VXLAN VTEP IP\n(c) UDP destination port = VXLAN UDP Port (4789)\n\n\n\nIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cvxlan-decap-ip\u003e eq 4789\n\u00a0\u00a0\u00a02 deny ip any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a03 permit ip any any\n\n\n\u00a0\n\nACL to permit GREv4 Only\n\nThis IPv4 ACL matches on GRE packets as follows:\n(a) IP next protocol = GRE (47)\n(b) IP DIP = GRE Tunnel Destination IP\n\n\n\nIt allows GRE packets and drops all other packets to the GRE Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit gre any host \u003cgre-decap-ip\u003e\n\u00a0\u00a0\u00a02 deny ip any host \u003cgre-decap-ip\u003e\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nACL to permit IP-in-IPv4 Only\n\nThis IPv4 ACL matches on IP-in-IPv4 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IP DIP = IP-in-IP Decap IP\n\n\n\nIt allows IP-in-IPv4 packets and drops all other packets to the IP-in-IPv4 Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit 4 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a02 permit 41 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a03 deny ip any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\nACL to Permit IP-in-IPv6 Only\n\nThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IP DIP = IP-in-IP Decap IP\n\n\n\nIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit 4 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a02 permit 41 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any\n\n\n\u00a0\n\nACL to permit GUEv4 Only\n\nThis IPv4 ACL matches on GUE packets as follows:\n(a) IP next protocol = UDP (17)\n(b) IP DIP = GUE Decap IP\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0(IP = Y or MPLS = Z)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cdecap-ip\u003e eq Y\n\u00a0\u00a0\u00a02 permit udp any host \u003cdecap-ip\u003e eq Z\n\u00a0\u00a0\u00a03 deny ip any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ip any any\n\n\n\u00a0\n\nACL to Permit GUEv6 Only\n\nThis IPv6 ACL matches on GUE packets as follows:\n(a) IP next protocol = UDP (17)\n(b) IP DIP = GUE Decap IP\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (IP = Y or MPLS = Z)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cdecap-ip\u003e eq Y\n\u00a0\u00a0\u00a02 permit udp any host \u003cdecap-ip\u003e eq Z\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eApproach 2 - Applying ACL on Decapsulation Switches\u003c/h3\u003e\u003cp\u003eApplying ACLs on the decapsulation device is more complicated. It requires the use of MAC ACLs on 7020R Series, 7280R/R2 Series, and 7500R/R2 Series systems and IP ACLs on 7280R3 Series, 7500R3 Series, and 7800R3 Series systems. In both cases, a TCAM profile update is also required. Note that TCAM profile update is a disruptive operation that could impact traffic forwarding. More information can be found in\u0026nbsp;\u003ca href=\"https://www.arista.com/en/support/toi/eos-4-26-0f/14755-user-defined-tcam-profiles\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eUser-defined TCAM Profiles\u003c/a\u003e.\u003c/p\u003e7020R Series, 7280R/R2 Series, and 7500R/R2 Series\u003cp\u003eMitigation involves using MAC ACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. The suggested MAC ACLs use User Defined Fields (UDFs) to match on specific fields in the packet headers. This requires a TCAM profile update to include the following UDF qualifiers:\u003c/p\u003e\u003col\u003e\u003cli\u003eFor IPv4 tunnels, 2 16b and 1 32b UDF qualifiers need to be included.\u003c/li\u003e\u003cli\u003eFor IPv6 tunnels, 2 16b and 4 32b UDF qualifiers need to be included.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eHowever, in order to make room for the UDF qualifiers, other TCAM features/qualifiers must be removed due to hardware constraints. Following are some suggested TCAM profile changes to accommodate the required UDF qualifiers:\u003c/p\u003e\u003col\u003e\u003cli\u003eTCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for MPLS:\u003cbr\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test copy default\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key size limit\u0026nbsp;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;key field udf-16b-1 udf-16b-2 udf-32b-1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature mpls pop ingress\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature pbr mpls\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eTCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for VXLAN:\u003cbr\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test copy default\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key field src-mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;key field udf-16b-1 udf-16b-2 udf-32b-1\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eTCAM profile that includes the UDF qualifiers for IPv6 tunnels, but removes support for VXLAN and PBR:\u003cbr\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test1 copy default\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key size limit\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key field src-mac dst-mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;key field udf-16b-1 udf-16b-2 udf-32b-1 udf-32b-2 udf-32b-3 udf-32b-4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature tunnel vxlan\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature tunnel vxlan routing\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature pbr ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature pbr ipv6\n\u003c/pre\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003ePlease contact Arista TAC if further assistance is needed with TCAM profile construction.\u003c/p\u003e"
}
],
"value": "Approach 2 - Applying ACL on Decapsulation Switches\n\nApplying ACLs on the decapsulation device is more complicated. It requires the use of MAC ACLs on 7020R Series, 7280R/R2 Series, and 7500R/R2 Series systems and IP ACLs on 7280R3 Series, 7500R3 Series, and 7800R3 Series systems. In both cases, a TCAM profile update is also required. Note that TCAM profile update is a disruptive operation that could impact traffic forwarding. More information can be found in\u00a0 User-defined TCAM Profiles https://www.arista.com/en/support/toi/eos-4-26-0f/14755-user-defined-tcam-profiles .\n\n7020R Series, 7280R/R2 Series, and 7500R/R2 Series\n\nMitigation involves using MAC ACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. The suggested MAC ACLs use User Defined Fields (UDFs) to match on specific fields in the packet headers. This requires a TCAM profile update to include the following UDF qualifiers:\n\n * For IPv4 tunnels, 2 16b and 1 32b UDF qualifiers need to be included.\n * For IPv6 tunnels, 2 16b and 4 32b UDF qualifiers need to be included.\n\n\nHowever, in order to make room for the UDF qualifiers, other TCAM features/qualifiers must be removed due to hardware constraints. Following are some suggested TCAM profile changes to accommodate the required UDF qualifiers:\n\n * TCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for MPLS:\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test copy default\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key size limit\u00a0\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0key field udf-16b-1 udf-16b-2 udf-32b-1\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature mpls\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature mpls pop ingress\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature pbr mpls\n\n\n\u00a0\n\n\u00a0\n * TCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for VXLAN:\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test copy default\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key field src-mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0key field udf-16b-1 udf-16b-2 udf-32b-1\n\n\n\u00a0\n\n\u00a0\u00a0\n * TCAM profile that includes the UDF qualifiers for IPv6 tunnels, but removes support for VXLAN and PBR:\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test1 copy default\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key size limit\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key field src-mac dst-mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0key field udf-16b-1 udf-16b-2 udf-32b-1 udf-32b-2 udf-32b-3 udf-32b-4\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature tunnel vxlan\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature tunnel vxlan routing\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature pbr ip\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature pbr ipv6\n\n\n\n\u00a0\n\n\n\nPlease contact Arista TAC if further assistance is needed with TCAM profile construction."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ACL to permit VXLAN v4 Decap only\u003cp\u003eThis MAC ACL uses UDF to match on VXLAN packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IP DIP = VXLAN VTEP IP (say 0xXXXXXXXX - converted in hex)\u003cbr\u003e(c) UDP destination port = VXLAN UDP Port (0x12b5)\u003c/p\u003e\u003cp\u003eIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\nmac access-list payload alias udp-dport-vxlan offset 5 pattern 0x000012b5 mask 0xffff0000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-vxlan\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GREv4 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on GRE packets as follows:\u003cbr\u003e(a) IP next protocol = GRE (0x2f)\u003cbr\u003e(b) IP DIP = GRE Decap IP (say 0xXXXXXXXX - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows GRE packets and drops all other packets to the GRE Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-gre offset 2 pattern 0x002f0000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf needed, the ACL can also be tweaked to match on specific GRE payloads as follows:\u003c/p\u003e\u003ci\u003eIPv4oGRE\u003c/i\u003e\u003cp\u003eACL also matches on GRE next protocol = IPv4 (0x0800)\u003c/p\u003e\u003cpre\u003emac access-list payload alias gre-protocol-ipv4 offset 5 pattern 0x00000800 mask 0xffff0000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003ci\u003eIPv6oGRE\u003c/i\u003e\u003cp\u003eACL also matches on GRE next protocol = IPv6 (0x86dd)\u003c/p\u003e\u003cpre\u003emac access-list payload alias gre-protocol-ipv6 offset 5 pattern 0x000086dd mask 0xffff0000\nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv6\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003ci\u003eMPLSoGRE\u003c/i\u003e\u003cp\u003eACL also matches on GRE next protocol = MPLS (0x8847)\u003c/p\u003e\u003cpre\u003emac access-list payload alias gre-protocol-mpls offset 5 pattern 0x00008847 mask 0xffff0000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\u003c/pre\u003e"
}
],
"value": "ACL to permit VXLAN v4 Decap only\n\nThis MAC ACL uses UDF to match on VXLAN packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IP DIP = VXLAN VTEP IP (say 0xXXXXXXXX - converted in hex)\n(c) UDP destination port = VXLAN UDP Port (0x12b5)\n\n\n\nIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n\u00a0\u00a0\u00a0\u00a0\nmac access-list payload alias udp-dport-vxlan offset 5 pattern 0x000012b5 mask 0xffff0000\n\u00a0\u00a0\u00a0\u00a0\nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-vxlan\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nACL to permit GREv4 Decap Only\n\nThis MAC ACL uses UDF to match on GRE packets as follows:\n(a) IP next protocol = GRE (0x2f)\n(b) IP DIP = GRE Decap IP (say 0xXXXXXXXX - converted in hex)\n\n\n\nIt allows GRE packets and drops all other packets to the GRE Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-gre offset 2 pattern 0x002f0000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\n\n\nIf needed, the ACL can also be tweaked to match on specific GRE payloads as follows:\n\nIPv4oGRE\n\nACL also matches on GRE next protocol = IPv4 (0x0800)\n\n\n\nmac access-list payload alias gre-protocol-ipv4 offset 5 pattern 0x00000800 mask 0xffff0000\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv4\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nIPv6oGRE\n\nACL also matches on GRE next protocol = IPv6 (0x86dd)\n\n\n\nmac access-list payload alias gre-protocol-ipv6 offset 5 pattern 0x000086dd mask 0xffff0000\nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv6\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nMPLSoGRE\n\nACL also matches on GRE next protocol = MPLS (0x8847)\n\n\n\nmac access-list payload alias gre-protocol-mpls offset 5 pattern 0x00008847 mask 0xffff0000\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-mpls\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ACL to permit IP-in-IPv4 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on IP-in-IP packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (0x04) or IPv6 (0x29)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP (say 0xXXXXXXXX - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-ipv4 offset 2 pattern 0x00040000 mask 0xff00ffff\n \nmac access-list payload alias ip-next-protocol-ipv6 offset 2 pattern 0x00290000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-ipv4 alias ip-dip-decap-ip\u0026nbsp;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ip payload alias ip-next-protocol-ipv6 alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GUEv4 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IP DIP = GUE Decap IP (say 0xXXXXXXXX - converted in hex)\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;(say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list payload alias udp-dport-gue-ip offset 5 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 5 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GUEv6 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IPv6 DIP = GUE Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; (say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ipv6-next-protocol-udp offset 1 pattern 0x00001100 mask 0xffff00ff\n \nmac access-list payload alias udp-dport-gue-ip offset 10 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 10 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\u003c/pre\u003e"
}
],
"value": "ACL to permit IP-in-IPv4 Decap Only\n\nThis MAC ACL uses UDF to match on IP-in-IP packets as follows:\n(a) IP next protocol = IPv4 (0x04) or IPv6 (0x29)\n(b) IP DIP = IP-in-IP Decap IP (say 0xXXXXXXXX - converted in hex)\n\n\n\nIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-ipv4 offset 2 pattern 0x00040000 mask 0xff00ffff\n \nmac access-list payload alias ip-next-protocol-ipv6 offset 2 pattern 0x00290000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-ipv4 alias ip-dip-decap-ip\u00a0\n\u00a0\u00a0\u00a02 permit any any ip payload alias ip-next-protocol-ipv6 alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\nACL to permit GUEv4 Decap Only\n\nThis MAC ACL uses UDF to match on GUE packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IP DIP = GUE Decap IP (say 0xXXXXXXXX - converted in hex)\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0(say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list payload alias udp-dport-gue-ip offset 5 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 5 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list foo\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-mpls\n\u00a0\u00a0\u00a02 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-ip\n\u00a0\u00a0\u00a03 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\nACL to permit GUEv6 Decap Only\n\nThis MAC ACL uses UDF to match on GUE packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IPv6 DIP = GUE Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0 (say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nmac access-list payload alias ipv6-next-protocol-udp offset 1 pattern 0x00001100 mask 0xffff00ff\n \nmac access-list payload alias udp-dport-gue-ip offset 10 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 10 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-ip\n\u00a0\u00a0\u00a02 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-mpls\n\u00a0\u00a0\u00a03 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a04 permit any any"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ACL to permit IP-in-IPv6 Decap Only\u003cp\u003eThe MAC ACL uses UDF to match on IP-in-IPv6 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IPv6 DIP = IP-in-IP Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ipv6-next-protocol-ipv4 offset 1 pattern 0x00000400 mask 0xffff00ff\n \nmac access-list payload alias ipv6-next-protocol-ipv6 offset 1 pattern 0x00002900 mask 0xffff00ff\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ipv6 payload alias ipv6-next-protocol-ipv4 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ipv6 payload alias ipv6-next-protocol-ipv6 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003ch3\u003e7280R3 Series, 7500R3 Series, and 7800R3 Series\u003c/h3\u003e\u003cp\u003eMitigation involves using IPv6 PACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. This requires the following TCAM profile update with the specified packet types:\u003c/p\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port ipv6\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 ipv4 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 ipv6 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 gue ipv4 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 gue ipv6 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 gue mpls forwarding mpls decap\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eNote that introducing new packet types might also require specifying them under other features such as \u201cacl vlan\u201d or \u201cqos ipv6\u201d. Please reach out, if further assistance is needed with TCAM profile construction.\u003c/p\u003eACL to Permit GUEv6 Only\u003cp\u003eThis IPv6 ACL matches on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IP DIP = GUE Decap IP\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; (IP = Y or MPLS = Z)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;decap-ip\u0026gt; eq Y\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit udp any host \u0026lt;decap-ip\u0026gt; eq Z\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to Permit IP-in-IPv6 Only\u003cp\u003eThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP\u003c/p\u003e\u003cp\u003eIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit 4 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit 41 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\u003c/pre\u003e"
}
],
"value": "ACL to permit IP-in-IPv6 Decap Only\n\nThe MAC ACL uses UDF to match on IP-in-IPv6 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IPv6 DIP = IP-in-IP Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\n\n\n\nIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\n\n\n\nmac access-list payload alias ipv6-next-protocol-ipv4 offset 1 pattern 0x00000400 mask 0xffff00ff\n \nmac access-list payload alias ipv6-next-protocol-ipv6 offset 1 pattern 0x00002900 mask 0xffff00ff\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ipv6 payload alias ipv6-next-protocol-ipv4 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a02 permit any any ipv6 payload alias ipv6-next-protocol-ipv6 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a03 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\n7280R3 Series, 7500R3 Series, and 7800R3 Series\n\nMitigation involves using IPv6 PACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. This requires the following TCAM profile update with the specified packet types:\n\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port ipv6\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 ipv4 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 ipv6 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 gue ipv4 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 gue ipv6 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 gue mpls forwarding mpls decap\n\n\n\u00a0\n\n\n\nNote that introducing new packet types might also require specifying them under other features such as \u201cacl vlan\u201d or \u201cqos ipv6\u201d. Please reach out, if further assistance is needed with TCAM profile construction.\n\nACL to Permit GUEv6 Only\n\nThis IPv6 ACL matches on GUE packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IP DIP = GUE Decap IP\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0 (IP = Y or MPLS = Z)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cdecap-ip\u003e eq Y\n\u00a0\u00a0\u00a02 permit udp any host \u003cdecap-ip\u003e eq Z\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any\n\n\n\u00a0\n\nACL to Permit IP-in-IPv6 Only\n\nThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IP DIP = IP-in-IP Decap IP\n\n\n\nIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit 4 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a02 permit 41 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-7473",
"datePublished": "2026-06-05T16:22:47.989Z",
"dateReserved": "2026-04-29T20:08:22.118Z",
"dateUpdated": "2026-06-10T03:57:41.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5088 (GCVE-0-2025-5088)
Vulnerability from cvelistv5 – Published: 2026-06-05 15:58 – Updated: 2026-06-09 14:37
VLAI
EPSS
VEX
Title
Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session
Summary
An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0M , ≤ 4.31.8M (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-11-18 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:09:38.315441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:37:20.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.8M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx service mcs\nMcs\n Status: Enabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ ------- ------------------\n \u0026lt;Switch1\u0026gt; Enabled 1\n \ncvx1#show running-config section mcs\ncvx\n service mcs\n redis password 7 03054902151B20\n no shutdown\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf MCS Service is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx service mcs\nMcs\n Status: Disabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ -------- ------------------\n \u0026lt;Switch1\u0026gt; Disabled\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n Status: Enabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ ------- ------------------\n \u003cSwitch1\u003e Enabled 1\n \ncvx1#show running-config section mcs\ncvx\n service mcs\n redis password 7 03054902151B20\n no shutdown\n\n\n\n\nIf MCS Service is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n Status: Disabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ -------- ------------------\n \u003cSwitch1\u003e Disabled"
}
],
"datePublic": "2025-11-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.\u003c/p\u003e"
}
],
"value": "An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:58:15.288Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-5088 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.9M and later releases in the 4.31.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-5088 has been fixed in the following releases:\n\n * 4.34.2F and later releases in the 4.34.x train\n * 4.33.5M and later releases in the 4.33.x train\n * 4.32.7M and later releases in the 4.32.x train\n * 4.31.9M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1140117"
],
"discovery": "INTERNAL"
},
"title": "Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\u003c/p\u003e\u003cp\u003ePlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eLog in to the CVX Server\u003c/b\u003e\u003c/div\u003e\u003cp\u003eAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eStop Redis Before Applying Changes\u003c/b\u003e\u003c/div\u003e\u003cp\u003eIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\u003c/p\u003e\u003cp\u003eExecuting \u003ci\u003eno redis password\u003c/i\u003e stops the Redis service by removing its authentication credentials, which prevents it from running.\u003c/p\u003e\u003cpre\u003ecvx\u0026gt;enable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\u003c/pre\u003e\u003cdiv\u003e\u003cb\u003eEdit the redis.service Systemd Service File\u003c/b\u003e\u003c/div\u003e\u003cp\u003eThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\u003c/p\u003e\u003cp\u003eFirst, transition to bash mode from the CVX configuration prompt:\u003c/p\u003e\u003cpre\u003ecvx(config-cvx-mcs)#bash\u003c/pre\u003e\u003cp\u003eOnce in bash, use \u003ci\u003esudo nano\u003c/i\u003e to edit the redis.service file:\u003c/p\u003e\u003cpre\u003e[cvx ~]$sudo nano /etc/systemd/system/redis.service\u003c/pre\u003e\u003cdiv\u003e\u003cb\u003eAdd \u0027User\u0027 and \u0027Group\u0027 Directives to the [Service] Section\u003c/b\u003e\u003c/div\u003e\u003cp\u003eWithin the redis.service file, locate the [Service] section and add the following lines:\u003c/p\u003e\u003cpre\u003e[Service]\nUser=redis\nGroup=redis\u003c/pre\u003e\u003cp\u003eThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\u003c/p\u003e\u003cp\u003eSave and exit the editor.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eChange Ownership of the Redis Log File\u003c/b\u003e\u003c/div\u003e\u003cp\u003eTo ensure the redis user has appropriate write permissions for its log file, change the ownership of \u003ci\u003e/var/log/redis/redis.log\u003c/i\u003e to the redis user and group.\u003c/p\u003e\u003cpre\u003e[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\u003c/pre\u003e\u003cp\u003eThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eRestart the Redis with New Changes\u003c/b\u003e\u003c/div\u003e\u003cp\u003eAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\u003c/p\u003e\u003cp\u003eFirst, exit bash mode:\u003c/p\u003e\u003cpre\u003e[cvx ~]$exit\u003c/pre\u003e\u003cp\u003eThen, reconfigure the Redis password:\u003c/p\u003e\u003cpre\u003ecvx(config-cvx-mcs)#redis password \u0026lt;secret\u0026gt;\u003c/pre\u003e\u003cp\u003eReplace \u003ci\u003e\u0026lt;secret\u0026gt;\u003c/i\u003e with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\u003c/p\u003e\u003cp\u003e\u003cb\u003eNOTE:\u003c/b\u003e Following a CVX server reload or power cycle, all previously mentioned steps must be repeated.\u003c/p\u003e"
}
],
"value": "To run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\n\n\n\nPlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\n\nLog in to the CVX Server\n\n\n\nAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\n\nStop Redis Before Applying Changes\n\n\n\nIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\n\n\n\nExecuting no redis password stops the Redis service by removing its authentication credentials, which prevents it from running.\n\n\n\ncvx\u003eenable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\n\nEdit the redis.service Systemd Service File\n\n\n\nThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\n\n\n\nFirst, transition to bash mode from the CVX configuration prompt:\n\n\n\ncvx(config-cvx-mcs)#bash\n\n\n\nOnce in bash, use sudo nano to edit the redis.service file:\n\n\n\n[cvx ~]$sudo nano /etc/systemd/system/redis.service\n\nAdd \u0027User\u0027 and \u0027Group\u0027 Directives to the [Service] Section\n\n\n\nWithin the redis.service file, locate the [Service] section and add the following lines:\n\n\n\n[Service]\nUser=redis\nGroup=redis\n\n\n\nThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\n\n\n\nSave and exit the editor.\n\nChange Ownership of the Redis Log File\n\n\n\nTo ensure the redis user has appropriate write permissions for its log file, change the ownership of /var/log/redis/redis.log to the redis user and group.\n\n\n\n[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\n\n\n\nThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\n\nRestart the Redis with New Changes\n\n\n\nAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\n\n\n\nFirst, exit bash mode:\n\n\n\n[cvx ~]$exit\n\n\n\nThen, reconfigure the Redis password:\n\n\n\ncvx(config-cvx-mcs)#redis password \u003csecret\u003e\n\n\n\nReplace \u003csecret\u003e with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\n\n\n\nNOTE: Following a CVX server reload or power cycle, all previously mentioned steps must be repeated."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5088",
"datePublished": "2026-06-05T15:58:15.288Z",
"dateReserved": "2025-05-22T16:20:16.105Z",
"dateUpdated": "2026-06-09T14:37:20.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5090 (GCVE-0-2025-5090)
Vulnerability from cvelistv5 – Published: 2026-06-05 15:49 – Updated: 2026-06-09 14:37
VLAI
EPSS
VEX
Title
Arista CloudVision Exchange Cluster Instability via Unexpected Switch Messages
Summary
CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0 , < 4.32.0 (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-11-18 16:46
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:08:56.120293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:37:26.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThan": "4.32.0",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5090, the following condition must be met: CVX must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5090, the following condition must be met: CVX must be configured:\n\n\n\n\ncvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown"
}
],
"datePublic": "2025-11-18T16:46:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.\u003c/p\u003e"
}
],
"value": "CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:49:27.770Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5090 has been fixed in the following releases:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\n \u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\n \u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5090 has been fixed in the following releases:\n\n\n\n * 4.34.2F and later releases in the 4.34.x train\n\n * 4.33.5M and later releases in the 4.33.x train\n\n * 4.32.7M and later releases in the 4.32.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1139764"
],
"discovery": "INTERNAL"
},
"title": "Arista CloudVision Exchange Cluster Instability via Unexpected Switch Messages",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is no mitigation for this issue.\u003c/p\u003e"
}
],
"value": "There is no mitigation for this issue."
}
],
"x_capecAlignment": {
"capecId": "CAPEC-125",
"capecName": "Flooding / Malformed Packet",
"justification": "An attacker with high privilege access over a downstream switch can emit unexpected or malformed TCP packets causing state management code on CVX (ControllerOob/Controllerdb) to throw unhandled faults, leading to ongoing client deregistration cycles and cluster instability."
},
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5090",
"datePublished": "2026-06-05T15:49:27.770Z",
"dateReserved": "2025-05-22T16:26:48.444Z",
"dateUpdated": "2026-06-09T14:37:26.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5089 (GCVE-0-2025-5089)
Vulnerability from cvelistv5 – Published: 2026-06-05 15:44 – Updated: 2026-06-09 15:14
VLAI
EPSS
VEX
Title
Arista EOS SysDB Agent Denial of Service via Malformed CVX Client/Server Messages
Summary
In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0M , ≤ 4.31.8M (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-12-18 16:40
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:47:55.021277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:14:08.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.8M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5089, the following condition must be met: CVX must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5089, the following condition must be met: CVX must be configured:\n\n\n\n\ncvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown"
}
],
"datePublic": "2025-12-18T16:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.\u003c/p\u003e"
}
],
"value": "In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:44:45.822Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5089 has been fixed in the following releases:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\n \u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\n \u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\n \u003cli\u003e4.31.9M and later releases in the 4.31.x train\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5089 has been fixed in the following releases:\n\n\n\n * 4.34.2F and later releases in the 4.34.x train\n\n * 4.33.5M and later releases in the 4.33.x train\n\n * 4.32.7M and later releases in the 4.32.x train\n\n * 4.31.9M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1140255"
],
"discovery": "INTERNAL"
},
"title": "Arista EOS SysDB Agent Denial of Service via Malformed CVX Client/Server Messages",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is no mitigation for this issue.\u003c/p\u003e"
}
],
"value": "There is no mitigation for this issue."
}
],
"x_capecAlignment": {
"capecId": "CAPEC-125",
"capecName": "Flooding / Malformed Packet",
"justification": "The attack leverages structurally malformed message payloads communicated over a trusted client/server connection interface to trigger unhandled parser logic, inducing an agent process crash (Denial of Service)."
},
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5089",
"datePublished": "2026-06-05T15:44:45.822Z",
"dateReserved": "2025-05-22T16:26:45.461Z",
"dateUpdated": "2026-06-09T15:14:08.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8873 (GCVE-0-2025-8873)
Vulnerability from cvelistv5 – Published: 2026-06-04 23:04 – Updated: 2026-06-05 18:31
VLAI
EPSS
VEX
Title
Arista EOS Dataplane Denial of Service via Malformed IPsec Packet
Summary
On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1286 - Improper Validation of Syntactic Correctness of Input
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.33.0M , ≤ 4.33.4M
(custom)
Affected: 4.32.0M , ≤ 4.32.6.1M (custom) Affected: 4.31.0M , ≤ 4.31.7.1M (custom) Affected: 4.30.0M , ≤ 4.30.10M (custom) Affected: 4.29.0M , ≤ 4.29.10.1M (custom) |
Date Public
2026-06-04 22:53
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:31:22.291972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:31:35.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"7020SRG Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6.1M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.7.1M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.10M",
"status": "affected",
"version": "4.30.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.10.1M",
"status": "affected",
"version": "4.29.0M",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf IPsec is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\nLegend: (P) policy based VPN tunnel.\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\n\n\n\n\nswitch\u003eshow ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\n\n\n\n\nIf IPsec is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\nswitch\u003eshow ip security connection\nLegend: (P) policy based VPN tunnel."
}
],
"datePublic": "2026-06-04T22:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.\u003c/p\u003e"
}
],
"value": "On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer."
}
],
"impacts": [
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1286",
"description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T23:04:56.535Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-8873 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAfter upgrading to a remediated version of software, the system TCAM profile must be changed to ipsec-egress-padding-removal:\u0026nbsp;\u003ca href=\"https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\" target=\"_blank\" rel=\"noopener noreferrer\"\u003ehttps://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\u003c/p\u003e\u003cpre\u003eswitch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\u0026nbsp;\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e:\u003c/p\u003e\u003cpre\u003eswitch(config-tcam)#show hardware tcam profile\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Configuration\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\nFixedSystem\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; ipsec-egress-padding-removal \nipsec-egress-padding-removal\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u2018\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e\u2019 differs from the \u2018\u003cb\u003eipsec\u003c/b\u003e\u2019 TCAM profile in two ways:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEgress IP ACLs are disabled\u003c/li\u003e\u003cli\u003eFixes for BUG603398 and BUG1246592 are applied\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u00a0 https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal .\n\n\n\nThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\n\n\n\nswitch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n\n\n\u00a0\n\n\n\nTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\u00a0ipsec-egress-padding-removal:\n\n\n\nswitch(config-tcam)#show hardware tcam profile\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Configuration\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Status\nFixedSystem\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ipsec-egress-padding-removal \nipsec-egress-padding-removal\n\n\n\u00a0\n\n\n\n\u2018ipsec-egress-padding-removal\u2019 differs from the \u2018ipsec\u2019 TCAM profile in two ways:\n\n * Egress IP ACLs are disabled\n * Fixes for BUG603398 and BUG1246592 are applied"
}
],
"source": {
"advisory": "127",
"defect": [
"BUG 1246592"
],
"discovery": "EXTERNAL"
},
"title": "Arista EOS Dataplane Denial of Service via Malformed IPsec Packet",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere are no mitigations for this vulnerability.\u003c/p\u003e"
}
],
"value": "There are no mitigations for this vulnerability."
}
],
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-8873",
"datePublished": "2026-06-04T23:04:56.535Z",
"dateReserved": "2025-08-11T18:28:43.460Z",
"dateUpdated": "2026-06-05T18:31:35.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5502 (GCVE-0-2023-5502)
Vulnerability from cvelistv5 – Published: 2026-06-04 22:39 – Updated: 2026-06-05 18:30
VLAI
EPSS
VEX
Title
On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, a malicious supplicant may bypass authentication.
Summary
On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.31.0 , ≤ 4.31.0F
(custom)
Affected: 4.30.0 , ≤ 4.30.4M (custom) Affected: 4.29.0 , ≤ 4.29.6M (custom) Affected: 4.28.0 , ≤ 4.28.8M (custom) Affected: 4.27.0 , ≤ 4.27.11M (custom) Affected: 4.26.0 , ≤ 4.26.11M (custom) Affected: 4.25.0 , ≤ 4.25.11M (custom) Affected: 4.24.0 , ≤ 4.24.11M (custom) |
Date Public
2024-05-21 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:30:41.122247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:30:54.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"7020R Series",
"7280R/R2 Series",
"7500R/R2 Series",
"7280E Series",
"7500E Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.31.0F",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.4M",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.6M",
"status": "affected",
"version": "4.29.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.8M",
"status": "affected",
"version": "4.28.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.11M",
"status": "affected",
"version": "4.27.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.26.11M",
"status": "affected",
"version": "4.26.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.25.11M",
"status": "affected",
"version": "4.25.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.24.11M",
"status": "affected",
"version": "4.24.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2023-5502, either of the following configuration conditions must be met:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCondition 1: Dot1x authentication must be configured:\u003c/strong\u003e\u003c/p\u003e\u003cpre\u003edot1x system-auth-control\ninterface Ethernet1\n dot1x pae authenticator\n dot1x port-control auto\n !! One of the two configuration lines below MUST be set\n dot1x host-mode single-host\n dot1x host-mode multi-host authenticated\ninterface Vlan100\n ip address 1.1.1.1/24\n ip routing\u003c/pre\u003e\u003cbr\u003e\u003cp\u003e\u003cstrong\u003eCondition 2: 802.1x configured in any host mode with MBA:\u003c/strong\u003e\u003c/p\u003e\u003cpre\u003edot1x system-auth-control\ninterface Ethernet1\n dot1x pae authenticator\n dot1x port-control auto\n dot1x mac based authentication\n !! One of the three configuration lines below MUST be set\n dot1x host-mode single-host\n dot1x host-mode multi-host authenticated\n dot1x host-mode multi-host\ninterface Vlan100\n ip address 1.1.1.1/24\n ip routing\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2023-5502, either of the following configuration conditions must be met:\n\nCondition 1: Dot1x authentication must be configured:\n\ndot1x system-auth-control\ninterface Ethernet1\n dot1x pae authenticator\n dot1x port-control auto\n !! One of the two configuration lines below MUST be set\n dot1x host-mode single-host\n dot1x host-mode multi-host authenticated\ninterface Vlan100\n ip address 1.1.1.1/24\n ip routing\n\nCondition 2: 802.1x configured in any host mode with MBA:\n\ndot1x system-auth-control\ninterface Ethernet1\n dot1x pae authenticator\n dot1x port-control auto\n dot1x mac based authentication\n !! One of the three configuration lines below MUST be set\n dot1x host-mode single-host\n dot1x host-mode multi-host authenticated\n dot1x host-mode multi-host\ninterface Vlan100\n ip address 1.1.1.1/24\n ip routing"
}
],
"datePublic": "2024-05-21T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eOn affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T22:39:34.101Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19462-security-advisory-0096"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003cbr\u003eFor more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2023-5502 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.32.0F and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.3M and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.5M and later releases in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.7M and later releases in the 4.29.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eNote: Products 7280E and 7500E are EOL, and there are no released versions of EOS which fix the issue on those platforms.\u003c/p\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\nFor more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2023-5502 has been fixed in the following releases:\n * 4.32.0F and later releases in the 4.32.x train\n * 4.31.3M and later releases in the 4.31.x train\n * 4.30.5M and later releases in the 4.30.x train\n * 4.29.7M and later releases in the 4.29.x train\n\nNote: Products 7280E and 7500E are EOL, and there are no released versions of EOS which fix the issue on those platforms."
}
],
"source": {
"advisory": "0096",
"defect": [
"BUG 862986"
],
"discovery": "INTERNAL"
},
"title": "On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, a malicious supplicant may bypass authentication.",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMitigation of this vulnerability requires disabling dot1x. Dot1x can be disabled globally using the following command:\u003c/p\u003e\u003cpre\u003eno dot1x system-auth-control\u003c/pre\u003e"
}
],
"value": "Mitigation of this vulnerability requires disabling dot1x. Dot1x can be disabled globally using the following command:\n\nno dot1x system-auth-control"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2023-5502",
"datePublished": "2026-06-04T22:39:34.101Z",
"dateReserved": "2023-10-10T15:58:04.589Z",
"dateUpdated": "2026-06-05T18:30:54.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-27892 (GCVE-0-2024-27892)
Vulnerability from cvelistv5 – Published: 2026-06-04 22:33 – Updated: 2026-06-05 18:30
VLAI
EPSS
VEX
Title
On affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected (SSL Profiles Enabled).
Summary
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.31.0 , ≤ 4.31.2F
(custom)
Affected: 4.30.0 , ≤ 4.30.5M (custom) Affected: 4.29.0 , ≤ 4.29.7M (custom) Affected: 4.28.0 , ≤ 4.28.10M (custom) Affected: 4.27.0 , ≤ 4.27.8M (custom) Affected: 4.26.0 , ≤ 4.26.9M (custom) Affected: 4.25.0 , ≤ 4.25.10M (custom) Affected: 4.24.0 , ≤ 4.24.11M (custom) |
Date Public
2024-07-02 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:30:07.883215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:30:17.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"710 Series",
"720D Series",
"720XP/722XPM Series",
"750X Series",
"7010 Series",
"7010X Series",
"7020R Series",
"7130 Series running EOS",
"7150 Series",
"7160 Series",
"7170 Series",
"7050X/X2/X3/X4 Series",
"7060X/X2/X4/X5/X6 Series",
"7250X Series",
"7260X/X3 Series",
"7280E/R/R2/R3 Series",
"7300X/X3 Series",
"7320X Series",
"7358X4 Series",
"7368X4 Series",
"7388X5 Series",
"7500E/R/R2/R3 Series",
"7800R3 Series",
"CloudEOS",
"cEOS-lab",
"vEOS-lab",
"AWE 5000 Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.31.2F",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.5M",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.7M",
"status": "affected",
"version": "4.29.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.10M",
"status": "affected",
"version": "4.28.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.8M",
"status": "affected",
"version": "4.27.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.26.9M",
"status": "affected",
"version": "4.26.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.25.10M",
"status": "affected",
"version": "4.25.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.24.11M",
"status": "affected",
"version": "4.24.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-27892, the only condition is that OpenConfig must be enabled with an SSL profile:\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: profile-name\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\u003c/pre\u003e\u003cbr\u003e\u003cp\u003eIf OpenConfig is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\u003cpre\u003eswitch(config)#show management api gnmi\nEnabled: no transports enabled\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2024-27892, the only condition is that OpenConfig must be enabled with an SSL profile:\n\nswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: profile-name\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n\nIf OpenConfig is not configured there is no exposure to this issue and the message will look like:\n\nswitch(config)#show management api gnmi\nEnabled: no transports enabled"
}
],
"datePublic": "2024-07-02T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eAffected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T22:33:15.792Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19862-security-advisory-0099"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003cbr\u003eFor more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2024-27892 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.31.3M and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.6M and later release in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.8M and later releases in the 4.29.x train\u003c/li\u003e\u003cli\u003e4.28.11M and later releases in the 4.28.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\nFor more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-27892 has been fixed in the following releases:\n * 4.31.3M and later releases in the 4.31.x train\n * 4.30.6M and later release in the 4.30.x train\n * 4.29.8M and later releases in the 4.29.x train\n * 4.28.11M and later releases in the 4.28.x train"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe following hotfix can be applied to remediate CVE-2024-27892. The hotfix only applies to the releases listed below and no other releases.\u003c/p\u003e\u003cp\u003eNote: Installing/uninstalling the SWIX will cause the OpenConfig/Octa process to restart. Services may be unavailable for up to one minute.\u003c/p\u003eEOS Versions 4.30.5\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e85ec967b17231edd542800a4a5b305de93308ba5365c858470e7ce848bbc6c357be614f2f668b4a1d93c7afa2cb5e62ac12efda00874f6801dff35351da9ed93\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e263331d15057c38e2e9c4af20f9795989ec962dc159c3136f4eb2e2370859866534b44a17ba9c2ec3249071ccfe83eb0047960693864de532de44fe36766fd70\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eEOS Versions 4.29.7\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e0317d77d621fa648aa15d607c6db1a8f648da82e14e0886aea0525e0d726ff83a0ed507755b733d1644797dece85203dfe6998b65108b10ba5a9b9be8f57c4f0\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003ed6d1d806fbd80d9d3972d8bb965b82cf1241c166ce960ff2af12de084c17160433188683fe48d5e3f24ba996e4b4262e95998683c50f80ce2f870fd3f02cbdc4\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eEOS Versions 4.28.10.1\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e12ec36dd68decff5d81f68504dfdba0c01697153366c6de01ac5189c0250516a01d0128179155b21bd028cbbc1b634e8bc143244a2bed089824d4dc4b6c92449\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e2f01a806867d6ffc95bef907164b3c92058382ccda5af006f66f350575a235a6f1ed491974b68dc952947d7cf9897028efa2266411e380da6a646719a420ec52\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eFor instructions on installation and verification of the hotfix patch, refer to the\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-managing-eos-extensions?searchword=eos%20section%206%206%20managing%20eos%20extensions\" target=\"_blank\" rel=\"noopener noreferrer\"\u003e\u201cmanaging eos extensions\u201d\u003c/a\u003e\u0026nbsp;section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command \u2018copy installed-extensions boot-extensions\u2019.\u003c/p\u003e"
}
],
"value": "The following hotfix can be applied to remediate CVE-2024-27892. The hotfix only applies to the releases listed below and no other releases.\n\n\n\nNote: Installing/uninstalling the SWIX will cause the OpenConfig/Octa process to restart. Services may be unavailable for up to one minute.\n\nEOS Versions 4.30.5\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n85ec967b17231edd542800a4a5b305de93308ba5365c858470e7ce848bbc6c357be614f2f668b4a1d93c7afa2cb5e62ac12efda00874f6801dff35351da9ed93\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n263331d15057c38e2e9c4af20f9795989ec962dc159c3136f4eb2e2370859866534b44a17ba9c2ec3249071ccfe83eb0047960693864de532de44fe36766fd70\n\n\u00a0\n\nEOS Versions 4.29.7\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n0317d77d621fa648aa15d607c6db1a8f648da82e14e0886aea0525e0d726ff83a0ed507755b733d1644797dece85203dfe6998b65108b10ba5a9b9be8f57c4f0\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\nd6d1d806fbd80d9d3972d8bb965b82cf1241c166ce960ff2af12de084c17160433188683fe48d5e3f24ba996e4b4262e95998683c50f80ce2f870fd3f02cbdc4\n\n\u00a0\n\nEOS Versions 4.28.10.1\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n12ec36dd68decff5d81f68504dfdba0c01697153366c6de01ac5189c0250516a01d0128179155b21bd028cbbc1b634e8bc143244a2bed089824d4dc4b6c92449\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n2f01a806867d6ffc95bef907164b3c92058382ccda5af006f66f350575a235a6f1ed491974b68dc952947d7cf9897028efa2266411e380da6a646719a420ec52\n\n\u00a0\n\n\n\nFor instructions on installation and verification of the hotfix patch, refer to the\u00a0 \u201cmanaging eos extensions\u201d https://www.arista.com/en/um-eos/eos-managing-eos-extensions \u00a0section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command \u2018copy installed-extensions boot-extensions\u2019."
}
],
"source": {
"advisory": "0099",
"defect": [
"BUG 912475"
],
"discovery": "INTERNAL"
},
"title": "On affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected (SSL Profiles Enabled).",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe workaround is to disable gNMI Set requests. This can be done by applying per RPC authorization and ensuring no user is authorized to run the OpenConfig.Set command.\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#show management api gnmi transport grpc default authorization requests\u003c/pre\u003e\u003cp\u003eAlternatively, TLS can be disabled:\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#no ssl profile\u003c/pre\u003e\u003cp\u003eAlternatively, the OpenConfig agent can be disabled entirely:\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#no management api gnmi\u003c/pre\u003e"
}
],
"value": "The workaround is to disable gNMI Set requests. This can be done by applying per RPC authorization and ensuring no user is authorized to run the OpenConfig.Set command.\n\nswitch(config-gnmi-transport-default)#show management api gnmi transport grpc default authorization requests\n\nAlternatively, TLS can be disabled:\n\nswitch(config-gnmi-transport-default)#no ssl profile\n\nAlternatively, the OpenConfig agent can be disabled entirely:\n\nswitch(config-gnmi-transport-default)#no management api gnmi"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-27892",
"datePublished": "2026-06-04T22:33:15.792Z",
"dateReserved": "2024-02-26T18:06:32.161Z",
"dateUpdated": "2026-06-05T18:30:17.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-27890 (GCVE-0-2024-27890)
Vulnerability from cvelistv5 – Published: 2026-06-04 22:27 – Updated: 2026-06-05 18:29
VLAI
EPSS
VEX
Title
On affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected (No SSL Profiles Enabled).
Summary
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.29.0 , ≤ 4.29.7M
(custom)
Affected: 4.28.0 , ≤ 4.28.10M (custom) Affected: 4.27.0 , ≤ 4.27.8M (custom) Affected: 4.26.0 , ≤ 4.26.9M (custom) Affected: 4.25.0 , ≤ 4.25.10M (custom) Affected: 4.24.0 , ≤ 4.24.11M (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:29:18.470860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:29:28.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"710 Series",
"720D Series",
"720XP/722XPM Series",
"750X Series",
"7010 Series",
"7010X Series",
"7020R Series",
"7130 Series running EOS",
"7150 Series",
"7160 Series",
"7170 Series",
"7050X/X2/X3/X4 Series",
"7060X/X2/X4/X5/X6 Series",
"7250X Series",
"7260X/X3 Series",
"7280E/R/R2/R3 Series",
"7300X/X3 Series",
"7320X Series",
"7358X4 Series",
"7368X4 Series",
"7388X5 Series",
"7500E/R/R2/R3 Series",
"7800R3 Series",
"CloudEOS",
"cEOS-lab",
"vEOS-lab",
"AWE 5000 Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.29.7M",
"status": "affected",
"version": "4.29.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.10M",
"status": "affected",
"version": "4.28.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.8M",
"status": "affected",
"version": "4.27.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.26.9M",
"status": "affected",
"version": "4.26.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.25.10M",
"status": "affected",
"version": "4.25.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.24.11M",
"status": "affected",
"version": "4.24.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-27890, the only condition is that OpenConfig must be enabled:\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\u003c/pre\u003e\u003cbr\u003e\u003cp\u003eIf OpenConfig is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\u003cpre\u003eswitch(config)#show management api gnmi\nEnabled: no transports enabled\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2024-27890, the only condition is that OpenConfig must be enabled:\n\nswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n\nIf OpenConfig is not configured there is no exposure to this issue and the message will look like:\n\nswitch(config)#show management api gnmi\nEnabled: no transports enabled"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eAffected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T22:27:36.610Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19862-security-advisory-0099"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003cbr\u003eFor more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2024-27890 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.30.0M and onwards\u003c/li\u003e\u003cli\u003e4.29.8M and later releases in the 4.29.x train\u003c/li\u003e\u003cli\u003e4.28.11M and later releases in the 4.28.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\nFor more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-27890 has been fixed in the following releases:\n * 4.30.0M and onwards\n * 4.29.8M and later releases in the 4.29.x train\n * 4.28.11M and later releases in the 4.28.x train"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe following hotfix can be applied to remediate CVE-2024-27890. The hotfix only applies to the releases listed below and no other releases.\u003c/p\u003e\u003cp\u003eNote: Installing/uninstalling the SWIX will cause the OpenConfig/Octa process to restart. Services may be unavailable for up to one minute.\u003c/p\u003eEOS Versions 4.30.5\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e85ec967b17231edd542800a4a5b305de93308ba5365c858470e7ce848bbc6c357be614f2f668b4a1d93c7afa2cb5e62ac12efda00874f6801dff35351da9ed93\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e263331d15057c38e2e9c4af20f9795989ec962dc159c3136f4eb2e2370859866534b44a17ba9c2ec3249071ccfe83eb0047960693864de532de44fe36766fd70\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eEOS Versions 4.29.7\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e0317d77d621fa648aa15d607c6db1a8f648da82e14e0886aea0525e0d726ff83a0ed507755b733d1644797dece85203dfe6998b65108b10ba5a9b9be8f57c4f0\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003ed6d1d806fbd80d9d3972d8bb965b82cf1241c166ce960ff2af12de084c17160433188683fe48d5e3f24ba996e4b4262e95998683c50f80ce2f870fd3f02cbdc4\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eEOS Versions 4.28.10.1\u003cp\u003e\u003cb\u003e32 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e12ec36dd68decff5d81f68504dfdba0c01697153366c6de01ac5189c0250516a01d0128179155b21bd028cbbc1b634e8bc143244a2bed089824d4dc4b6c92449\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u003cb\u003e64 bit\u003c/b\u003e\u003cbr\u003eVersion: 1.0\u003cbr\u003eURL:\u003cbr\u003e\u003ca href=\"https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix\"\u003ehttps://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix\u003c/a\u003e\u003c/p\u003e\u003cpre\u003eSWIX hash:(SHA512)\u003cbr\u003e2f01a806867d6ffc95bef907164b3c92058382ccda5af006f66f350575a235a6f1ed491974b68dc952947d7cf9897028efa2266411e380da6a646719a420ec52\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eFor instructions on installation and verification of the hotfix patch, refer to the\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-managing-eos-extensions?searchword=eos%20section%206%206%20managing%20eos%20extensions\" target=\"_blank\" rel=\"noopener noreferrer\"\u003e\u201cmanaging eos extensions\u201d\u003c/a\u003e\u0026nbsp;section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command \u2018copy installed-extensions boot-extensions\u2019.\u003c/p\u003e"
}
],
"value": "The following hotfix can be applied to remediate CVE-2024-27890. The hotfix only applies to the releases listed below and no other releases.\n\n\n\nNote: Installing/uninstalling the SWIX will cause the OpenConfig/Octa process to restart. Services may be unavailable for up to one minute.\n\nEOS Versions 4.30.5\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n85ec967b17231edd542800a4a5b305de93308ba5365c858470e7ce848bbc6c357be614f2f668b4a1d93c7afa2cb5e62ac12efda00874f6801dff35351da9ed93\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n263331d15057c38e2e9c4af20f9795989ec962dc159c3136f4eb2e2370859866534b44a17ba9c2ec3249071ccfe83eb0047960693864de532de44fe36766fd70\n\n\u00a0\n\nEOS Versions 4.29.7\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n0317d77d621fa648aa15d607c6db1a8f648da82e14e0886aea0525e0d726ff83a0ed507755b733d1644797dece85203dfe6998b65108b10ba5a9b9be8f57c4f0\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\nd6d1d806fbd80d9d3972d8bb965b82cf1241c166ce960ff2af12de084c17160433188683fe48d5e3f24ba996e4b4262e95998683c50f80ce2f870fd3f02cbdc4\n\n\u00a0\n\nEOS Versions 4.28.10.1\n\n32 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n12ec36dd68decff5d81f68504dfdba0c01697153366c6de01ac5189c0250516a01d0128179155b21bd028cbbc1b634e8bc143244a2bed089824d4dc4b6c92449\n\n\u00a0\n\n\n\n64 bit\nVersion: 1.0\nURL:\n https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix \n\n\n\nSWIX hash:(SHA512)\n2f01a806867d6ffc95bef907164b3c92058382ccda5af006f66f350575a235a6f1ed491974b68dc952947d7cf9897028efa2266411e380da6a646719a420ec52\n\n\u00a0\n\n\n\nFor instructions on installation and verification of the hotfix patch, refer to the\u00a0 \u201cmanaging eos extensions\u201d https://www.arista.com/en/um-eos/eos-managing-eos-extensions \u00a0section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command \u2018copy installed-extensions boot-extensions\u2019."
}
],
"source": {
"advisory": "0099",
"defect": [
"BUG 747512"
],
"discovery": "INTERNAL"
},
"title": "On affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected (No SSL Profiles Enabled).",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe workaround to mitigate this vulnerability is to disable the OpenConfig agent entirely:\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#no management api gnmi\u003cbr\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eAlternatively for both, the OpenConfig agent can be disabled.\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#no management api gnmi\u003c/pre\u003e\u003c/pre\u003e"
}
],
"value": "The workaround to mitigate this vulnerability is to disable the OpenConfig agent entirely:\n\n\n\nswitch(config-gnmi-transport-default)#no management api gnmi\n\n\n\n\n\n\n\nAlternatively for both, the OpenConfig agent can be disabled.\n\n\n\nswitch(config-gnmi-transport-default)#no management api gnmi"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-27890",
"datePublished": "2026-06-04T22:27:36.610Z",
"dateReserved": "2024-02-26T18:06:32.160Z",
"dateUpdated": "2026-06-05T18:29:28.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}