Which versions of Arista CloudVision Exchange are affected by EUVD-2025-210077?

Arista CloudVision Exchange contains a privilege escalation vulnerability allowing authenticated attackers with network access to its Redis service to obtain root control of the entire management…. A patch is available.

How to fix or mitigate EUVD-2025-210077?

24 hours: Identify and inventory all Arista CVX deployments; verify whether Redis services are accessible from untrusted networks; restrict network access to Redis (default port 6379) to trusted administrative networks only. 7 days: Implement encrypted tunnels (VPN/TLS) for all Redis traffic; rotate Redis authentication credentials; review access logs for unauthorized connection attempts. 30 days: Monitor Arista security advisories for patched CVX versions addressing CVE-2025-5088; conduct patch testing in non-production environments; establish upgrade timeline for immediate deployment upon patch availability.

Arista CloudVision Exchange EUVD-2025-210077

Q: What is the CVSS score of EUVD-2025-210077?

EUVD-2025-210077 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2025-5088 HIGH

Improper Privilege Management (CWE-269)

2026-06-05 Arista

GHSA-6vg3-4m6v-gqxx

Privilege Escalation Redis

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Jun 05, 2026 - 18:01 EUVD

Analysis Updated

Jun 05, 2026 - 17:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 05, 2026 - 17:22 vuln.today

cvss_changed

CVSS changed

Jun 05, 2026 - 17:22 NVD

8.3 (HIGH) 8.7 (HIGH)

Analysis Generated

Jun 05, 2026 - 17:18 vuln.today

CVE Published

Jun 05, 2026 - 15:58 nvd

HIGH 8.3

DescriptionNVD

An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.

AnalysisAI

Privilege escalation in Arista CloudVision Exchange (CVX) allows an authenticated attacker with network reach to the Redis service to obtain full root access across every server in the CVX cluster. The flaw stems from CVX's reliance on Redis for inter-node coordination combined with the fact that Redis traffic - including authentication - is transmitted in plaintext, meaning anyone who can sniff a single session can replay credentials to compromise the entire cluster. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Arista CVX is the clustering/state-exchange component of Arista EOS that distributes network state between control-plane nodes; it uses Redis as a shared coordination store. The weakness maps to CWE-269 (Improper Privilege Management) because an authenticated Redis client - which should be a narrowly scoped data-plane role - is effectively trusted to issue operations that result in root-equivalent control over CVX hosts. Compounding this design issue, CVX's current Redis deployment lacks TLS (tracked under Arista RFE1294850), so authentication tokens, commands, and responses traverse the network unencrypted, making credential capture trivial for any attacker positioned on the management or cluster-interconnect path.

RemediationAI

Patch status from the provided data is ambiguous - consult the Arista advisory at https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126 for fixed EOS/CVX versions and apply the vendor-recommended upgrade for your release train. As compensating controls until upgrade, restrict the Redis service port on CVX nodes to a dedicated, isolated management/cluster VLAN reachable only by authorized CVX peers and operators (trade-off: requires network segmentation changes and may break existing tooling that talks to Redis directly); enforce host-based firewall rules on CVX servers to deny Redis access from any address outside the cluster control plane; rotate the Redis password and tightly limit which operators hold it, recognizing that rotation alone does not solve plaintext exposure; and monitor for unexpected Redis client connections. Until the TLS work tracked under RFE1294850 ships, assume any network path carrying CVX Redis traffic is a credential-disclosure channel and treat it as a sensitive segment.