Arista EOS: Eleven Network Device Vulnerabilities Disclosed Together
Arista's network operating system, EOS, is affected by eleven vulnerabilities disclosed on June 4-5, 2026, impacting IPsec, OpenConfig, and CVX cluster security.
Key findings
- Eleven vulnerabilities in Arista EOS disclosed in a single batch on June 4-5, 2026.
- Critical flaws (CVE-2024-27892, CVE-2024-27890) affect OpenConfig, allowing unauthorized configuration changes.
- High-severity issues impact IPsec traffic processing (CVE-2025-8873) and CVX cluster security via Redis (CVE-2025-5088).
- Multiple vulnerabilities affect Arista's CloudVision (CVX) platform, leading to potential DoS and privilege escalation.
- Issues related to IPsec, tunnel encapsulation, and 802.1x authentication are also present.
Arista's network operating system, EOS, is the subject of a significant disclosure event with eleven vulnerabilities revealed between June 4 and June 5, 2026. The batch of security flaws, spanning a 20-hour window, impacts various functionalities including IPsec, OpenConfig, and the security of Arista's CloudVision (CVX) cluster management.
Several vulnerabilities center on IPsec functionality. CVE-2026-2379 (Medium) describes unexpected behavior in IPsec tunnel re-establishment due to sequence number mismatches under specific conditions. Similarly, CVE-2026-7473 (Medium) details how certain tunnel decapsulation configurations can lead to the incorrect forwarding of unexpected tunneled packets. A more severe issue, CVE-2025-8873 (High), involves a specially crafted packet that can halt IPsec traffic processing, potentially requiring a reset of the IPsec pipeline. Additionally, CVE-2024-27891 (Medium) notes that MACsec and egress ACLs configured on the same interfaces may not be enforced correctly for egressing packets.
The Arista CloudVision (CVX) management platform is also affected by multiple vulnerabilities. CVE-2025-5090 and CVE-2025-5089 (both Medium) describe how CVX and connected EOS switches are not resilient to unexpected or malformed messages, potentially leading to agent crashes and denial of service scenarios within the CVX cluster. A particularly concerning vulnerability, CVE-2025-5088 (High), allows an authenticated Redis session to be leveraged for full root access to all servers within a CVX cluster, provided an attacker has network access and the Redis password.
OpenConfig configuration management is another area impacted. CVE-2024-27892 and CVE-2024-27890 (both Critical) indicate that a gNMI Set request can be executed when it should have been rejected, leading to the application of unexpected configurations on the switch. These two vulnerabilities share the same description and severity, highlighting a critical flaw in OpenConfig handling.
Further impacting network access control, CVE-2023-5502 (Medium) describes a bypass of 802.1x authentication requirements under specific configurations involving routing on access VLANs. Complementing this, CVE-2024-6858 (severity not specified in input, but grouped with Medium/High) notes that in 802.1X mode, unauthenticated hosts might gain access if an EAPOL capable device exists in the fallback VLAN.
Arista has released advisories and patches for these vulnerabilities. Users are strongly encouraged to review the specific advisories for each CVE and apply the recommended updates to mitigate the risks associated with these disclosures. The wide range of affected components, from core networking protocols like IPsec to management and configuration systems, underscores the importance of maintaining up-to-date systems.