Search criteria
6 vulnerabilities found for EOS / CloudVision eXchange (CVX) by Arista Networks
CVE-2025-5090 (GCVE-0-2025-5090)
Vulnerability from nvd – Published: 2026-06-05 15:49 – Updated: 2026-06-05 15:49
VLAI
Title
Arista CloudVision Exchange Cluster Instability via Unexpected Switch Messages
Summary
CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.
Severity
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0 , < 4.32.0 (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-11-18 16:46
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThan": "4.32.0",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5090, the following condition must be met: CVX must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5090, the following condition must be met: CVX must be configured:\n\n\n\n\ncvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown"
}
],
"datePublic": "2025-11-18T16:46:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.\u003c/p\u003e"
}
],
"value": "CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:49:27.770Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5090 has been fixed in the following releases:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\n \u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\n \u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5090 has been fixed in the following releases:\n\n\n\n * 4.34.2F and later releases in the 4.34.x train\n\n * 4.33.5M and later releases in the 4.33.x train\n\n * 4.32.7M and later releases in the 4.32.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1139764"
],
"discovery": "INTERNAL"
},
"title": "Arista CloudVision Exchange Cluster Instability via Unexpected Switch Messages",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is no mitigation for this issue.\u003c/p\u003e"
}
],
"value": "There is no mitigation for this issue."
}
],
"x_capecAlignment": {
"capecId": "CAPEC-125",
"capecName": "Flooding / Malformed Packet",
"justification": "An attacker with high privilege access over a downstream switch can emit unexpected or malformed TCP packets causing state management code on CVX (ControllerOob/Controllerdb) to throw unhandled faults, leading to ongoing client deregistration cycles and cluster instability."
},
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5090",
"datePublished": "2026-06-05T15:49:27.770Z",
"dateReserved": "2025-05-22T16:26:48.444Z",
"dateUpdated": "2026-06-05T15:49:27.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5089 (GCVE-0-2025-5089)
Vulnerability from nvd – Published: 2026-06-05 15:44 – Updated: 2026-06-05 15:44
VLAI
Title
Arista EOS SysDB Agent Denial of Service via Malformed CVX Client/Server Messages
Summary
In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.
Severity
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0M , ≤ 4.31.8M (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-12-18 16:40
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.8M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5089, the following condition must be met: CVX must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5089, the following condition must be met: CVX must be configured:\n\n\n\n\ncvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown"
}
],
"datePublic": "2025-12-18T16:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.\u003c/p\u003e"
}
],
"value": "In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:44:45.822Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5089 has been fixed in the following releases:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\n \u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\n \u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\n \u003cli\u003e4.31.9M and later releases in the 4.31.x train\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5089 has been fixed in the following releases:\n\n\n\n * 4.34.2F and later releases in the 4.34.x train\n\n * 4.33.5M and later releases in the 4.33.x train\n\n * 4.32.7M and later releases in the 4.32.x train\n\n * 4.31.9M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1140255"
],
"discovery": "INTERNAL"
},
"title": "Arista EOS SysDB Agent Denial of Service via Malformed CVX Client/Server Messages",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is no mitigation for this issue.\u003c/p\u003e"
}
],
"value": "There is no mitigation for this issue."
}
],
"x_capecAlignment": {
"capecId": "CAPEC-125",
"capecName": "Flooding / Malformed Packet",
"justification": "The attack leverages structurally malformed message payloads communicated over a trusted client/server connection interface to trigger unhandled parser logic, inducing an agent process crash (Denial of Service)."
},
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5089",
"datePublished": "2026-06-05T15:44:45.822Z",
"dateReserved": "2025-05-22T16:26:45.461Z",
"dateUpdated": "2026-06-05T15:44:45.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5088 (GCVE-0-2025-5088)
Vulnerability from nvd – Published: 2026-06-05 15:58 – Updated: 2026-06-05 15:58
VLAI
Title
Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session
Summary
An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.
Severity
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0M , ≤ 4.31.8M (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-11-18 00:00
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.8M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx service mcs\nMcs\n Status: Enabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ ------- ------------------\n \u0026lt;Switch1\u0026gt; Enabled 1\n \ncvx1#show running-config section mcs\ncvx\n service mcs\n redis password 7 03054902151B20\n no shutdown\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf MCS Service is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx service mcs\nMcs\n Status: Disabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ -------- ------------------\n \u0026lt;Switch1\u0026gt; Disabled\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n Status: Enabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ ------- ------------------\n \u003cSwitch1\u003e Enabled 1\n \ncvx1#show running-config section mcs\ncvx\n service mcs\n redis password 7 03054902151B20\n no shutdown\n\n\n\n\nIf MCS Service is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n Status: Disabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ -------- ------------------\n \u003cSwitch1\u003e Disabled"
}
],
"datePublic": "2025-11-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.\u003c/p\u003e"
}
],
"value": "An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:58:15.288Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-5088 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.9M and later releases in the 4.31.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-5088 has been fixed in the following releases:\n\n * 4.34.2F and later releases in the 4.34.x train\n * 4.33.5M and later releases in the 4.33.x train\n * 4.32.7M and later releases in the 4.32.x train\n * 4.31.9M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1140117"
],
"discovery": "INTERNAL"
},
"title": "Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\u003c/p\u003e\u003cp\u003ePlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eLog in to the CVX Server\u003c/b\u003e\u003c/div\u003e\u003cp\u003eAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eStop Redis Before Applying Changes\u003c/b\u003e\u003c/div\u003e\u003cp\u003eIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\u003c/p\u003e\u003cp\u003eExecuting \u003ci\u003eno redis password\u003c/i\u003e stops the Redis service by removing its authentication credentials, which prevents it from running.\u003c/p\u003e\u003cpre\u003ecvx\u0026gt;enable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\u003c/pre\u003e\u003cdiv\u003e\u003cb\u003eEdit the redis.service Systemd Service File\u003c/b\u003e\u003c/div\u003e\u003cp\u003eThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\u003c/p\u003e\u003cp\u003eFirst, transition to bash mode from the CVX configuration prompt:\u003c/p\u003e\u003cpre\u003ecvx(config-cvx-mcs)#bash\u003c/pre\u003e\u003cp\u003eOnce in bash, use \u003ci\u003esudo nano\u003c/i\u003e to edit the redis.service file:\u003c/p\u003e\u003cpre\u003e[cvx ~]$sudo nano /etc/systemd/system/redis.service\u003c/pre\u003e\u003cdiv\u003e\u003cb\u003eAdd \u0027User\u0027 and \u0027Group\u0027 Directives to the [Service] Section\u003c/b\u003e\u003c/div\u003e\u003cp\u003eWithin the redis.service file, locate the [Service] section and add the following lines:\u003c/p\u003e\u003cpre\u003e[Service]\nUser=redis\nGroup=redis\u003c/pre\u003e\u003cp\u003eThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\u003c/p\u003e\u003cp\u003eSave and exit the editor.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eChange Ownership of the Redis Log File\u003c/b\u003e\u003c/div\u003e\u003cp\u003eTo ensure the redis user has appropriate write permissions for its log file, change the ownership of \u003ci\u003e/var/log/redis/redis.log\u003c/i\u003e to the redis user and group.\u003c/p\u003e\u003cpre\u003e[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\u003c/pre\u003e\u003cp\u003eThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eRestart the Redis with New Changes\u003c/b\u003e\u003c/div\u003e\u003cp\u003eAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\u003c/p\u003e\u003cp\u003eFirst, exit bash mode:\u003c/p\u003e\u003cpre\u003e[cvx ~]$exit\u003c/pre\u003e\u003cp\u003eThen, reconfigure the Redis password:\u003c/p\u003e\u003cpre\u003ecvx(config-cvx-mcs)#redis password \u0026lt;secret\u0026gt;\u003c/pre\u003e\u003cp\u003eReplace \u003ci\u003e\u0026lt;secret\u0026gt;\u003c/i\u003e with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\u003c/p\u003e\u003cp\u003e\u003cb\u003eNOTE:\u003c/b\u003e Following a CVX server reload or power cycle, all previously mentioned steps must be repeated.\u003c/p\u003e"
}
],
"value": "To run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\n\n\n\nPlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\n\nLog in to the CVX Server\n\n\n\nAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\n\nStop Redis Before Applying Changes\n\n\n\nIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\n\n\n\nExecuting no redis password stops the Redis service by removing its authentication credentials, which prevents it from running.\n\n\n\ncvx\u003eenable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\n\nEdit the redis.service Systemd Service File\n\n\n\nThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\n\n\n\nFirst, transition to bash mode from the CVX configuration prompt:\n\n\n\ncvx(config-cvx-mcs)#bash\n\n\n\nOnce in bash, use sudo nano to edit the redis.service file:\n\n\n\n[cvx ~]$sudo nano /etc/systemd/system/redis.service\n\nAdd \u0027User\u0027 and \u0027Group\u0027 Directives to the [Service] Section\n\n\n\nWithin the redis.service file, locate the [Service] section and add the following lines:\n\n\n\n[Service]\nUser=redis\nGroup=redis\n\n\n\nThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\n\n\n\nSave and exit the editor.\n\nChange Ownership of the Redis Log File\n\n\n\nTo ensure the redis user has appropriate write permissions for its log file, change the ownership of /var/log/redis/redis.log to the redis user and group.\n\n\n\n[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\n\n\n\nThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\n\nRestart the Redis with New Changes\n\n\n\nAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\n\n\n\nFirst, exit bash mode:\n\n\n\n[cvx ~]$exit\n\n\n\nThen, reconfigure the Redis password:\n\n\n\ncvx(config-cvx-mcs)#redis password \u003csecret\u003e\n\n\n\nReplace \u003csecret\u003e with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\n\n\n\nNOTE: Following a CVX server reload or power cycle, all previously mentioned steps must be repeated."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5088",
"datePublished": "2026-06-05T15:58:15.288Z",
"dateReserved": "2025-05-22T16:20:16.105Z",
"dateUpdated": "2026-06-05T15:58:15.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5088 (GCVE-0-2025-5088)
Vulnerability from cvelistv5 – Published: 2026-06-05 15:58 – Updated: 2026-06-05 15:58
VLAI
Title
Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session
Summary
An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.
Severity
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0M , ≤ 4.31.8M (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-11-18 00:00
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.8M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx service mcs\nMcs\n Status: Enabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ ------- ------------------\n \u0026lt;Switch1\u0026gt; Enabled 1\n \ncvx1#show running-config section mcs\ncvx\n service mcs\n redis password 7 03054902151B20\n no shutdown\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf MCS Service is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx service mcs\nMcs\n Status: Disabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ -------- ------------------\n \u0026lt;Switch1\u0026gt; Disabled\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n Status: Enabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ ------- ------------------\n \u003cSwitch1\u003e Enabled 1\n \ncvx1#show running-config section mcs\ncvx\n service mcs\n redis password 7 03054902151B20\n no shutdown\n\n\n\n\nIf MCS Service is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n Status: Disabled\n Supported versions: 1\n \n Switch Status Negotiated Version\n ------ -------- ------------------\n \u003cSwitch1\u003e Disabled"
}
],
"datePublic": "2025-11-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.\u003c/p\u003e"
}
],
"value": "An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:58:15.288Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-5088 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.9M and later releases in the 4.31.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-5088 has been fixed in the following releases:\n\n * 4.34.2F and later releases in the 4.34.x train\n * 4.33.5M and later releases in the 4.33.x train\n * 4.32.7M and later releases in the 4.32.x train\n * 4.31.9M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1140117"
],
"discovery": "INTERNAL"
},
"title": "Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\u003c/p\u003e\u003cp\u003ePlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eLog in to the CVX Server\u003c/b\u003e\u003c/div\u003e\u003cp\u003eAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eStop Redis Before Applying Changes\u003c/b\u003e\u003c/div\u003e\u003cp\u003eIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\u003c/p\u003e\u003cp\u003eExecuting \u003ci\u003eno redis password\u003c/i\u003e stops the Redis service by removing its authentication credentials, which prevents it from running.\u003c/p\u003e\u003cpre\u003ecvx\u0026gt;enable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\u003c/pre\u003e\u003cdiv\u003e\u003cb\u003eEdit the redis.service Systemd Service File\u003c/b\u003e\u003c/div\u003e\u003cp\u003eThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\u003c/p\u003e\u003cp\u003eFirst, transition to bash mode from the CVX configuration prompt:\u003c/p\u003e\u003cpre\u003ecvx(config-cvx-mcs)#bash\u003c/pre\u003e\u003cp\u003eOnce in bash, use \u003ci\u003esudo nano\u003c/i\u003e to edit the redis.service file:\u003c/p\u003e\u003cpre\u003e[cvx ~]$sudo nano /etc/systemd/system/redis.service\u003c/pre\u003e\u003cdiv\u003e\u003cb\u003eAdd \u0027User\u0027 and \u0027Group\u0027 Directives to the [Service] Section\u003c/b\u003e\u003c/div\u003e\u003cp\u003eWithin the redis.service file, locate the [Service] section and add the following lines:\u003c/p\u003e\u003cpre\u003e[Service]\nUser=redis\nGroup=redis\u003c/pre\u003e\u003cp\u003eThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\u003c/p\u003e\u003cp\u003eSave and exit the editor.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eChange Ownership of the Redis Log File\u003c/b\u003e\u003c/div\u003e\u003cp\u003eTo ensure the redis user has appropriate write permissions for its log file, change the ownership of \u003ci\u003e/var/log/redis/redis.log\u003c/i\u003e to the redis user and group.\u003c/p\u003e\u003cpre\u003e[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\u003c/pre\u003e\u003cp\u003eThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eRestart the Redis with New Changes\u003c/b\u003e\u003c/div\u003e\u003cp\u003eAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\u003c/p\u003e\u003cp\u003eFirst, exit bash mode:\u003c/p\u003e\u003cpre\u003e[cvx ~]$exit\u003c/pre\u003e\u003cp\u003eThen, reconfigure the Redis password:\u003c/p\u003e\u003cpre\u003ecvx(config-cvx-mcs)#redis password \u0026lt;secret\u0026gt;\u003c/pre\u003e\u003cp\u003eReplace \u003ci\u003e\u0026lt;secret\u0026gt;\u003c/i\u003e with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\u003c/p\u003e\u003cp\u003e\u003cb\u003eNOTE:\u003c/b\u003e Following a CVX server reload or power cycle, all previously mentioned steps must be repeated.\u003c/p\u003e"
}
],
"value": "To run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\n\n\n\nPlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\n\nLog in to the CVX Server\n\n\n\nAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\n\nStop Redis Before Applying Changes\n\n\n\nIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\n\n\n\nExecuting no redis password stops the Redis service by removing its authentication credentials, which prevents it from running.\n\n\n\ncvx\u003eenable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\n\nEdit the redis.service Systemd Service File\n\n\n\nThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\n\n\n\nFirst, transition to bash mode from the CVX configuration prompt:\n\n\n\ncvx(config-cvx-mcs)#bash\n\n\n\nOnce in bash, use sudo nano to edit the redis.service file:\n\n\n\n[cvx ~]$sudo nano /etc/systemd/system/redis.service\n\nAdd \u0027User\u0027 and \u0027Group\u0027 Directives to the [Service] Section\n\n\n\nWithin the redis.service file, locate the [Service] section and add the following lines:\n\n\n\n[Service]\nUser=redis\nGroup=redis\n\n\n\nThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\n\n\n\nSave and exit the editor.\n\nChange Ownership of the Redis Log File\n\n\n\nTo ensure the redis user has appropriate write permissions for its log file, change the ownership of /var/log/redis/redis.log to the redis user and group.\n\n\n\n[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\n\n\n\nThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\n\nRestart the Redis with New Changes\n\n\n\nAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\n\n\n\nFirst, exit bash mode:\n\n\n\n[cvx ~]$exit\n\n\n\nThen, reconfigure the Redis password:\n\n\n\ncvx(config-cvx-mcs)#redis password \u003csecret\u003e\n\n\n\nReplace \u003csecret\u003e with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\n\n\n\nNOTE: Following a CVX server reload or power cycle, all previously mentioned steps must be repeated."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5088",
"datePublished": "2026-06-05T15:58:15.288Z",
"dateReserved": "2025-05-22T16:20:16.105Z",
"dateUpdated": "2026-06-05T15:58:15.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5090 (GCVE-0-2025-5090)
Vulnerability from cvelistv5 – Published: 2026-06-05 15:49 – Updated: 2026-06-05 15:49
VLAI
Title
Arista CloudVision Exchange Cluster Instability via Unexpected Switch Messages
Summary
CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.
Severity
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0 , < 4.32.0 (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-11-18 16:46
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThan": "4.32.0",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5090, the following condition must be met: CVX must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5090, the following condition must be met: CVX must be configured:\n\n\n\n\ncvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown"
}
],
"datePublic": "2025-11-18T16:46:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.\u003c/p\u003e"
}
],
"value": "CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:49:27.770Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5090 has been fixed in the following releases:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\n \u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\n \u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5090 has been fixed in the following releases:\n\n\n\n * 4.34.2F and later releases in the 4.34.x train\n\n * 4.33.5M and later releases in the 4.33.x train\n\n * 4.32.7M and later releases in the 4.32.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1139764"
],
"discovery": "INTERNAL"
},
"title": "Arista CloudVision Exchange Cluster Instability via Unexpected Switch Messages",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is no mitigation for this issue.\u003c/p\u003e"
}
],
"value": "There is no mitigation for this issue."
}
],
"x_capecAlignment": {
"capecId": "CAPEC-125",
"capecName": "Flooding / Malformed Packet",
"justification": "An attacker with high privilege access over a downstream switch can emit unexpected or malformed TCP packets causing state management code on CVX (ControllerOob/Controllerdb) to throw unhandled faults, leading to ongoing client deregistration cycles and cluster instability."
},
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5090",
"datePublished": "2026-06-05T15:49:27.770Z",
"dateReserved": "2025-05-22T16:26:48.444Z",
"dateUpdated": "2026-06-05T15:49:27.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5089 (GCVE-0-2025-5089)
Vulnerability from cvelistv5 – Published: 2026-06-05 15:44 – Updated: 2026-06-05 15:44
VLAI
Title
Arista EOS SysDB Agent Denial of Service via Malformed CVX Client/Server Messages
Summary
In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.
Severity
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) |
Affected:
4.34.0F , ≤ 4.34.1F
(custom)
Affected: 4.33.0M , ≤ 4.33.4M (custom) Affected: 4.32.0M , ≤ 4.32.6M (custom) Affected: 4.31.0M , ≤ 4.31.8M (custom) Affected: 4.30.0 , < 4.31.0 (custom) |
Date Public
2025-12-18 16:40
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CloudVision eXchange",
"virtual or physical appliance"
],
"product": "EOS / CloudVision eXchange (CVX)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.34.1F",
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.8M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThan": "4.31.0",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-5089, the following condition must be met: CVX must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ecvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-5089, the following condition must be met: CVX must be configured:\n\n\n\n\ncvx1#show cvx\n Status: Enabled\n Mode: Standalone\n Heartbeat interval: 20.0\n Heartbeat timeout: 60.0\n Client connection state preserving: Disabled\n \ncvx1#show running-config section cvx\ncvx\n no shutdown"
}
],
"datePublic": "2025-12-18T16:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.\u003c/p\u003e"
}
],
"value": "In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:44:45.822Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5089 has been fixed in the following releases:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003e4.34.2F and later releases in the 4.34.x train\u003c/li\u003e\n \u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\n \u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\n \u003cli\u003e4.31.9M and later releases in the 4.31.x train\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5089 has been fixed in the following releases:\n\n\n\n * 4.34.2F and later releases in the 4.34.x train\n\n * 4.33.5M and later releases in the 4.33.x train\n\n * 4.32.7M and later releases in the 4.32.x train\n\n * 4.31.9M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "0126",
"defect": [
"BUG1140255"
],
"discovery": "INTERNAL"
},
"title": "Arista EOS SysDB Agent Denial of Service via Malformed CVX Client/Server Messages",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is no mitigation for this issue.\u003c/p\u003e"
}
],
"value": "There is no mitigation for this issue."
}
],
"x_capecAlignment": {
"capecId": "CAPEC-125",
"capecName": "Flooding / Malformed Packet",
"justification": "The attack leverages structurally malformed message payloads communicated over a trusted client/server connection interface to trigger unhandled parser logic, inducing an agent process crash (Denial of Service)."
},
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-5089",
"datePublished": "2026-06-05T15:44:45.822Z",
"dateReserved": "2025-05-22T16:26:45.461Z",
"dateUpdated": "2026-06-05T15:44:45.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}