Vulnerability-Lookup

CVE-2025-5088 (GCVE-0-2025-5088)

Vulnerability from cvelistv5 – Published: 2026-06-05 15:58 – Updated: 2026-06-05 15:58

Title

Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session

Summary

An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.

Severity

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

CWE

CWE-269 - Improper Privilege Management

Assigner

Arista

References

1 reference

URL	Tags
https://www.arista.com/en/support/advisories-noti…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Arista Networks	EOS / CloudVision eXchange (CVX)	Affected: 4.34.0F , ≤ 4.34.1F (custom) Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0M , ≤ 4.31.8M (custom) Affected: 4.30.0 , < 4.31.0 (custom)

Date Public

2025-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "CloudVision eXchange",
            "virtual or physical appliance"
          ],
          "product": "EOS / CloudVision eXchange (CVX)",
          "vendor": "Arista Networks",
          "versions": [
            {
              "lessThanOrEqual": "4.34.1F",
              "status": "affected",
              "version": "4.34.0F",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.33.4M",
              "status": "affected",
              "version": "4.33.0M",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.32.6M",
              "status": "affected",
              "version": "4.32.0M",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.31.8M",
              "status": "affected",
              "version": "4.31.0M",
              "versionType": "custom"
            },
            {
              "lessThan": "4.31.0",
              "status": "affected",
              "version": "4.30.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx service mcs\nMcs\n  Status: Enabled\n  Supported versions: 1\n  \n  Switch    Status    Negotiated Version\n  ------    -------   ------------------\n  \u0026lt;Switch1\u0026gt; Enabled   1\n  \ncvx1#show running-config section mcs\ncvx\n   service mcs\n      redis password 7 03054902151B20\n      no shutdown\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf MCS Service is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx service mcs\nMcs\n  Status: Disabled\n  Supported versions: 1\n  \n  Switch    Status     Negotiated Version\n  ------    --------   ------------------\n  \u0026lt;Switch1\u0026gt; Disabled\u003c/code\u003e\u003c/pre\u003e"
            }
          ],
          "value": "In order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n  Status: Enabled\n  Supported versions: 1\n  \n  Switch    Status    Negotiated Version\n  ------    -------   ------------------\n  \u003cSwitch1\u003e Enabled   1\n  \ncvx1#show running-config section mcs\ncvx\n   service mcs\n      redis password 7 03054902151B20\n      no shutdown\n\n\n\n\nIf MCS Service is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n  Status: Disabled\n  Supported versions: 1\n  \n  Switch    Status     Negotiated Version\n  ------    --------   ------------------\n  \u003cSwitch1\u003e Disabled"
        }
      ],
      "datePublic": "2025-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.\u003c/p\u003e"
            }
          ],
          "value": "An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T15:58:15.288Z",
        "orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
        "shortName": "Arista"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-5088 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.9M and later releases in the 4.31.x train\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-5088 has been fixed in the following releases:\n\n  *  4.34.2F and later releases in the 4.34.x train\n  *  4.33.5M and later releases in the 4.33.x train\n  *  4.32.7M and later releases in the 4.32.x train\n  *  4.31.9M and later releases in the 4.31.x train"
        }
      ],
      "source": {
        "advisory": "0126",
        "defect": [
          "BUG1140117"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTo run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\u003c/p\u003e\u003cp\u003ePlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eLog in to the CVX Server\u003c/b\u003e\u003c/div\u003e\u003cp\u003eAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eStop Redis Before Applying Changes\u003c/b\u003e\u003c/div\u003e\u003cp\u003eIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\u003c/p\u003e\u003cp\u003eExecuting \u003ci\u003eno redis password\u003c/i\u003e stops the Redis service by removing its authentication credentials, which prevents it from running.\u003c/p\u003e\u003cpre\u003ecvx\u0026gt;enable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\u003c/pre\u003e\u003cdiv\u003e\u003cb\u003eEdit the redis.service Systemd Service File\u003c/b\u003e\u003c/div\u003e\u003cp\u003eThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\u003c/p\u003e\u003cp\u003eFirst, transition to bash mode from the CVX configuration prompt:\u003c/p\u003e\u003cpre\u003ecvx(config-cvx-mcs)#bash\u003c/pre\u003e\u003cp\u003eOnce in bash, use \u003ci\u003esudo nano\u003c/i\u003e to edit the redis.service file:\u003c/p\u003e\u003cpre\u003e[cvx ~]$sudo nano /etc/systemd/system/redis.service\u003c/pre\u003e\u003cdiv\u003e\u003cb\u003eAdd \u0027User\u0027 and \u0027Group\u0027 Directives to the [Service] Section\u003c/b\u003e\u003c/div\u003e\u003cp\u003eWithin the redis.service file, locate the [Service] section and add the following lines:\u003c/p\u003e\u003cpre\u003e[Service]\nUser=redis\nGroup=redis\u003c/pre\u003e\u003cp\u003eThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\u003c/p\u003e\u003cp\u003eSave and exit the editor.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eChange Ownership of the Redis Log File\u003c/b\u003e\u003c/div\u003e\u003cp\u003eTo ensure the redis user has appropriate write permissions for its log file, change the ownership of \u003ci\u003e/var/log/redis/redis.log\u003c/i\u003e to the redis user and group.\u003c/p\u003e\u003cpre\u003e[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\u003c/pre\u003e\u003cp\u003eThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eRestart the Redis with New Changes\u003c/b\u003e\u003c/div\u003e\u003cp\u003eAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\u003c/p\u003e\u003cp\u003eFirst, exit bash mode:\u003c/p\u003e\u003cpre\u003e[cvx ~]$exit\u003c/pre\u003e\u003cp\u003eThen, reconfigure the Redis password:\u003c/p\u003e\u003cpre\u003ecvx(config-cvx-mcs)#redis password \u0026lt;secret\u0026gt;\u003c/pre\u003e\u003cp\u003eReplace \u003ci\u003e\u0026lt;secret\u0026gt;\u003c/i\u003e with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\u003c/p\u003e\u003cp\u003e\u003cb\u003eNOTE:\u003c/b\u003e Following a CVX server reload or power cycle, all previously mentioned steps must be repeated.\u003c/p\u003e"
            }
          ],
          "value": "To run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\n\n\n\nPlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\n\nLog in to the CVX Server\n\n\n\nAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\n\nStop Redis Before Applying Changes\n\n\n\nIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\n\n\n\nExecuting no redis password stops the Redis service by removing its authentication credentials, which prevents it from running.\n\n\n\ncvx\u003eenable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\n\nEdit the redis.service Systemd Service File\n\n\n\nThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\n\n\n\nFirst, transition to bash mode from the CVX configuration prompt:\n\n\n\ncvx(config-cvx-mcs)#bash\n\n\n\nOnce in bash, use sudo nano to edit the redis.service file:\n\n\n\n[cvx ~]$sudo nano /etc/systemd/system/redis.service\n\nAdd \u0027User\u0027 and \u0027Group\u0027 Directives to the [Service] Section\n\n\n\nWithin the redis.service file, locate the [Service] section and add the following lines:\n\n\n\n[Service]\nUser=redis\nGroup=redis\n\n\n\nThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\n\n\n\nSave and exit the editor.\n\nChange Ownership of the Redis Log File\n\n\n\nTo ensure the redis user has appropriate write permissions for its log file, change the ownership of /var/log/redis/redis.log to the redis user and group.\n\n\n\n[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\n\n\n\nThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\n\nRestart the Redis with New Changes\n\n\n\nAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\n\n\n\nFirst, exit bash mode:\n\n\n\n[cvx ~]$exit\n\n\n\nThen, reconfigure the Redis password:\n\n\n\ncvx(config-cvx-mcs)#redis password \u003csecret\u003e\n\n\n\nReplace \u003csecret\u003e with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\n\n\n\nNOTE: Following a CVX server reload or power cycle, all previously mentioned steps must be repeated."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
    "assignerShortName": "Arista",
    "cveId": "CVE-2025-5088",
    "datePublished": "2026-06-05T15:58:15.288Z",
    "dateReserved": "2025-05-22T16:20:16.105Z",
    "dateUpdated": "2026-06-05T15:58:15.288Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-5088",
      "date": "2026-06-07",
      "epss": "0.00024",
      "percentile": "0.0705"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-5088\",\"sourceIdentifier\":\"psirt@arista.com\",\"published\":\"2026-06-05T17:16:29.097\",\"lastModified\":\"2026-06-05T19:03:48.933\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"references\":[{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126\",\"source\":\"psirt@arista.com\"}]}}"
  }
}

FKIE_CVE-2025-5088

Vulnerability from fkie_nvd - Published: 2026-06-05 17:16 - Updated: 2026-06-05 19:03

Severity

8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Summary

References

	URL	Tags
	psirt@arista.com	https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850."
    }
  ],
  "id": "CVE-2025-5088",
  "lastModified": "2026-06-05T19:03:48.933",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.5,
        "source": "psirt@arista.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "psirt@arista.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-05T17:16:29.097",
  "references": [
    {
      "source": "psirt@arista.com",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
    }
  ],
  "sourceIdentifier": "psirt@arista.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        }
      ],
      "source": "psirt@arista.com",
      "type": "Secondary"
    }
  ]
}

GHSA-6VG3-4M6V-GQXX

Vulnerability from github – Published: 2026-06-05 18:31 – Updated: 2026-06-05 18:31

Details

Severity

8.3 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-5088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T17:16:29Z",
    "severity": "HIGH"
  },
  "details": "An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.",
  "id": "GHSA-6vg3-4m6v-gqxx",
  "modified": "2026-06-05T18:31:39Z",
  "published": "2026-06-05T18:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5088"
    },
    {
      "type": "WEB",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

NCSC-2025-0374

Vulnerability from csaf_ncscnl - Published: 2025-11-20 11:48 - Updated: 2025-11-20 11:48

Summary

Kwetsbaarheden verholpen in Arista EOS

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Arista heeft kwetsbaarheden verholpen in de Arista EOS-platform.

Interpretaties: De kwetsbaarheden zijn gerelateerd aan de verwerking van verkeerd gevormde berichten, wat kan leiden tot systeemcrashes en Denial-of-Service-omstandigheden. Aanvallers met hoge privileges kunnen deze kwetsbaarheden misbruiken, wat leidt tot ernstige operationele verstoringen. Daarnaast kan het verzenden van willekeurige bytes naar het CVX-systeem de ControllerOob-agent laten herstarten, wat ook kan resulteren in een Denial-of-Service. Bovendien heeft de Arista EOS-platform een kwetsbaarheid die systemen met IPsec beïnvloedt, waardoor de dataplane stopt met het verwerken van al het IPsec-verkeer. Dit kan een systeemreset vereisen, zonder garantie op herstel van de verkeersverwerking. Voor misbruik heeft de kwaadwillende geen authenticatie nodig. Tot slot kan een geauthenticeerde Redis-sessie volledige roottoegang krijgen tot alle servers binnen de CVX-cluster, wat een ernstige bedreiging vormt voor de beveiliging.

Oplossingen: Arista heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-20: Improper Input Validation

CWE-269: Improper Privilege Management

CWE-1286: Improper Validation of Syntactic Correctness of Input

CVE-2025-5089

The EOS switch and CVX server are susceptible to crashes and denial of service due to vulnerabilities in handling malformed messages, which can be exploited by high privilege attackers.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
vers:unknown/* Arista Networks / EOS		vers:unknown/*

CVE-2025-5090

Sending random bytes to CVX can cause the ControllerOob agent to restart, potentially leading to a denial of service if this action is repeated continuously.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
vers:unknown/* Arista Networks / EOS		vers:unknown/*

CVE-2025-8873

A vulnerability in Arista EOS with IPsec configured can halt the dataplane's processing of IPsec traffic, potentially necessitating a reset that may not restore functionality.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
vers:unknown/* Arista Networks / EOS		vers:unknown/*

CVE-2025-5088

CVE-2025-5088 enables an authenticated Redis session to achieve full root access across all servers in the CVX cluster, necessitating network access and the Redis password, with communications currently in plaintext.

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-20 - Improper Input Validation

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
vers:unknown/* Arista Networks / EOS		vers:unknown/*

References

6 references

URL	Category
https://www.arista.com/en/support/advisories-noti…	external
https://www.arista.com/en/support/advisories-noti…	external
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Arista heeft kwetsbaarheden verholpen in de Arista EOS-platform.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden zijn gerelateerd aan de verwerking van verkeerd gevormde berichten, wat kan leiden tot systeemcrashes en Denial-of-Service-omstandigheden. Aanvallers met hoge privileges kunnen deze kwetsbaarheden misbruiken, wat leidt tot ernstige operationele verstoringen. Daarnaast kan het verzenden van willekeurige bytes naar het CVX-systeem de ControllerOob-agent laten herstarten, wat ook kan resulteren in een Denial-of-Service. Bovendien heeft de Arista EOS-platform een kwetsbaarheid die systemen met IPsec be\u00efnvloedt, waardoor de dataplane stopt met het verwerken van al het IPsec-verkeer. Dit kan een systeemreset vereisen, zonder garantie op herstel van de verkeersverwerking. Voor misbruik heeft de kwaadwillende geen authenticatie nodig. Tot slot kan een geauthenticeerde Redis-sessie volledige roottoegang krijgen tot alle servers binnen de CVX-cluster, wat een ernstige bedreiging vormt voor de beveiliging.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Arista heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Improper Privilege Management",
        "title": "CWE-269"
      },
      {
        "category": "general",
        "text": "Improper Validation of Syntactic Correctness of Input",
        "title": "CWE-1286"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Arista EOS",
    "tracking": {
      "current_release_date": "2025-11-20T11:48:20.126141Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2025-0374",
      "initial_release_date": "2025-11-20T11:48:20.126141Z",
      "revision_history": [
        {
          "date": "2025-11-20T11:48:20.126141Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "EOS"
          }
        ],
        "category": "vendor",
        "name": "Arista Networks"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-5089",
      "notes": [
        {
          "category": "description",
          "text": "The EOS switch and CVX server are susceptible to crashes and denial of service due to vulnerabilities in handling malformed messages, which can be exploited by high privilege attackers.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5089 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5089.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2025-5089"
    },
    {
      "cve": "CVE-2025-5090",
      "notes": [
        {
          "category": "description",
          "text": "Sending random bytes to CVX can cause the ControllerOob agent to restart, potentially leading to a denial of service if this action is repeated continuously.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5090 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5090.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2025-5090"
    },
    {
      "cve": "CVE-2025-8873",
      "cwe": {
        "id": "CWE-1286",
        "name": "Improper Validation of Syntactic Correctness of Input"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Validation of Syntactic Correctness of Input",
          "title": "CWE-1286"
        },
        {
          "category": "description",
          "text": "A vulnerability in Arista EOS with IPsec configured can halt the dataplane\u0027s processing of IPsec traffic, potentially necessitating a reset that may not restore functionality.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-8873 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-8873.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2025-8873"
    },
    {
      "cve": "CVE-2025-5088",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "other",
          "text": "Improper Privilege Management",
          "title": "CWE-269"
        },
        {
          "category": "description",
          "text": "CVE-2025-5088 enables an authenticated Redis session to achieve full root access across all servers in the CVX cluster, necessitating network access and the Redis password, with communications currently in plaintext.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5088 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5088.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2025-5088"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-5088 (GCVE-0-2025-5088)

FKIE_CVE-2025-5088

GHSA-6VG3-4M6V-GQXX

NCSC-2025-0374

Tags

Sightings

Nomenclature