Skip to main content

Arista EOS EUVDEUVD-2025-210068

| CVE-2025-8873 HIGH
Improper Validation of Syntactic Correctness of Input (CWE-1286)
2026-06-04 psirt@arista.com GHSA-xhpm-f58r-37px
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 23:30 vuln.today

DescriptionCVE.org

On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.

AnalysisAI

Denial of service in Arista EOS devices with IPsec configured allows remote unauthenticated attackers to halt all IPsec traffic processing by sending a specially crafted packet. The control plane's recovery attempt via pipeline reset may itself fail to restore traffic flow, producing a persistent outage of IPsec-protected communications until manual intervention. No public exploit identified at time of analysis, but the vulnerability was reported by an Arista customer, suggesting it was discovered through real-world operational impact rather than theoretical research.

Technical ContextAI

Arista EOS (Extensible Operating System) is the network operating system running on Arista's switching and routing platforms, including data center and campus switches. The vulnerability resides in the IPsec dataplane processing pipeline, which handles encrypted tunnel traffic terminating on or originating from the device. CWE-1286 (Improper Validation of Syntactic Correctness of Input) indicates the dataplane fails to properly validate the structural form of incoming packets, allowing a malformed packet to corrupt or stall the processing pipeline. Critically, the control plane's recovery mechanism - designed to detect and reset the stuck pipeline - does not reliably restore service, suggesting the fault state persists beyond the reset boundary or that re-initialization itself encounters the same condition.

RemediationAI

Patch status not specified in the provided input - consult Arista security advisory 0127 at https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127 for the exact fixed EOS train and hotfix availability for your platform. As a compensating control where patching is not immediately feasible, restrict the set of peers permitted to negotiate IPsec sessions with the affected device using IKE peer ACLs or upstream firewall rules to drop IPsec (ESP/UDP 500/UDP 4500) from untrusted sources, recognizing this does not prevent a malicious authorized peer from sending the crafted packet. Monitoring for dataplane IPsec counter stalls and alerting on sudden cessation of IPsec throughput will reduce mean time to detection, since the documented behavior is that automatic recovery may fail and require manual intervention (likely a process restart or device reboot).

Share

EUVD-2025-210068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy