CVE-2025-8873

Vulnerability

On affected Arista EOS platforms with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. This issue affects EOS versions 4.33.4M and below in the 4.33.x train, 4.32.6.1M and below in the 4.32.x train, 4.31.7.1M and below in the 4.31.x train, 4.30.10M and below in the 4.30.x train, and 4.29.10.1M and below in the 4.29.x train, specifically on 7020SRG Series products [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted IPsec packet to an affected Arista device. No specific network position, authentication, or user interaction is mentioned as required for exploitation, suggesting a potential for remote exploitation against devices with IPsec configured [1].

Impact

Successful exploitation causes the dataplane to stop processing all IPsec traffic. While the control plane may attempt to reset the IPsec processing pipeline, traffic may not resume. This impact is limited to IPsec traffic originating or terminating on the system; non-IPsec traffic remains unaffected [1].

Mitigation

Arista has released security advisory 0127 detailing the vulnerability and affected versions. Specific patched versions are not yet disclosed in the available references, and no workarounds are provided. Arista is not aware of any malicious uses of this issue in customer networks [1].