Skip to main content

Arista NGFW CVE-2026-25620

| EUVD-2026-34903 HIGH
OS Command Injection (CWE-78)
2026-06-05 psirt@arista.com GHSA-533r-r386-qc78
Command Injection Ng Firewall
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
P

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 20:34 vuln.today

DescriptionCVE.org

An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier software releases are not exposed.

AnalysisAI

Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) version 17.4.0 allows authenticated high-privileged remote attackers to inject OS commands through the Captive Portal application framework via encrypted password handling. The flaw is unique to release 17.4.0 with earlier versions unaffected, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain NGFW admin credentials
Delivery
Reach Captive Portal management interface over network
Exploit
Submit crafted encrypted password payload
Execution
Shell metacharacters injected into OS command
Persist
Command executes in portal service context
Impact
Exfiltrate firewall config and captured credentials
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Target must be running exactly Arista NGFW version 17.4.0 with the Captive Portal application framework deployed and reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L) shows network reach with low attack complexity but high privileges required, materially limiting blast radius - an attacker already needs admin-tier access to the NGFW management surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or compromised a high-privileged NGFW administrator account (for example via phishing, credential reuse, or insider access) reaches the management interface over the network and submits a crafted payload through the Captive Portal encrypted password handling path. The injected shell metacharacters execute in the context of the captive portal service, allowing the attacker to read sensitive firewall configuration, captured credentials, or portal session data. …
Remediation Consult the Arista security advisory at https://www.arista.com/en/support/advisories-notices/security-advisory/22867-security-advisory-0133 for the fixed release - patch availability per vendor advisory but an exact fixed version was not provided in the input data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Arista NGFW v17.4.0 deployments and restrict administrative access to essential personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-25620 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy