Skip to main content

Arista EOS/CVX EUVDEUVD-2025-210075

| CVE-2025-5089 HIGH
Improper Input Validation (CWE-20)
2026-06-05 Arista GHSA-xmjq-j83c-q6g4
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
Jun 05, 2026 - 18:01 EUVD
Analysis Generated
Jun 05, 2026 - 17:22 vuln.today
Severity Changed
Jun 05, 2026 - 17:22 NVD
MEDIUM HIGH
CVSS changed
Jun 05, 2026 - 17:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
CVE Published
Jun 05, 2026 - 15:44 nvd
HIGH 7.1

DescriptionCVE.org

In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.

AnalysisAI

Denial of service in Arista EOS switches and CloudVision Exchange (CVX) servers arises from improper input validation in the TCP messaging protocol that governs EOS-CVX cluster communication. Sending malformed messages in either direction - from a CVX server to an EOS switch, or vice versa - triggers a Sysdb agent crash on the EOS device (causing a soft reset) or agent crashes on the CVX server (causing cluster-wide instability). Exploitation requires the attacker to already hold high-privilege access on a device within the cluster, and no public exploit code or CISA KEV listing exists at time of analysis, making this a targeted insider or post-compromise threat rather than an opportunistic one.

Technical ContextAI

Arista's CloudVision Exchange (CVX) is a centralized network controller to which EOS-based switches connect over custom TCP sessions to receive policy, state, and configuration data. The affected component on the EOS side is the Sysdb agent - Arista EOS's core system database daemon - whose crash triggers a full soft reset of the switch. On the CVX side, agent crashes propagate instability to the entire cluster, impacting all connected devices. The root cause is CWE-20 (Improper Input Validation): neither side adequately validates the structure or content of incoming protocol messages before processing them, allowing a crafted malformed message to drive the receiving agent into a crash state. The CPE cpe:2.3:a:arista_networks:eos_/_cloudvision_exchange_(cvx):*:*:*:*:*:*:*:* covers the combined EOS/CVX product pairing across all versions, indicating the input validation gap is present throughout the product line rather than in a specific revision.

RemediationAI

Consult Arista Security Advisory 0126 (https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126) for vendor-released patched versions of EOS and CVX; exact fix versions were not present in the available data and must be confirmed directly from the advisory before upgrading. As an immediate compensating control, enforce strict role-based access controls (RBAC) on all EOS switches and CVX servers to ensure that only the minimum required privileged accounts can access device management interfaces - this directly addresses the high-privilege prerequisite the vendor identifies as necessary for exploitation. Network segmentation restricting management-plane reachability of CVX servers to trusted administrator hosts provides an additional boundary, though this does not protect against insider threats already holding privileged credentials. For non-critical EOS switches, temporarily disconnecting them from the CVX cluster eliminates their exposure entirely, at the trade-off of losing centralized policy management for those segments until a patch is applied.

Share

EUVD-2025-210075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy