CVE-2025-5089

Vulnerability

In an Arista CVX cluster, an EOS switch connected to a CVX server is vulnerable to malformed messages from the CVX server, and vice-versa. This vulnerability affects Arista EOS switches and CVX servers when they are connected in a CVX cluster configuration. The issue arises from a lack of resilience to specific malformed network messages exchanged between these components.

Exploitation

An attacker with high-privilege access to a connected device can send custom TCP packets containing malformed messages. This action can trigger agent crashes on either the EOS device or the CVX server, depending on the direction of the malformed message. Successful exploitation requires the attacker to have already obtained elevated privileges on one of the connected devices.

Impact

Successful exploitation of this vulnerability can lead to a denial of service (DoS) scenario. On the EOS device, a Sysdb agent crash can cause a soft reset of the switch. On the CVX server, agent crashes can lead to instability within the CVX cluster. The scope of the impact is limited to the affected switch or CVX cluster.

Mitigation

Arista has addressed this vulnerability. The specific fixed version and release date are not detailed in the provided references. Users are advised to consult Arista's security advisories for the latest information on patches and mitigation strategies. EOS switches not connected to a CVX server are not impacted by this issue [1].