Advisories & Notices

May 27, 2025

On affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied.

This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.

May 27, 2025

On affected platforms with hardware IPSec support running Arista EOS with IPsec enabled and anti-replay protection configured, EOS may exhibit unexpected behavior in specific cases. Received duplicate encrypted packets, which should be dropped under normal anti-replay protection, will instead be forwarded due to this vulnerability.

Note: this issue does not affect VXLANSec or MACSec encryption functionality.

May 20, 2025

On affected platforms running Arista EOS, ingress traffic on Layer 2 ports may, under certain conditions, be improperly forwarded to ports associated with different VLANs, resulting in a breach of VLAN isolation and segmentation boundaries.

This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.

Date: May 6, 2025

On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).

Arista is not aware of any malicious uses of this issue in customer networks.

April 15, 2025

On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.

This vulnerability was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.

April 15, 2025

On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected.

The issue was discovered internally by Arista. Arista is not aware of any malicious uses of this issue in customer networks.

April 15, 2025

On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended. This advisory impacts the Arista CloudVision Portal products when run on-premise. It does not impact CloudVision as-a-Service.

The issue was discovered internally by Arista. Arista is not aware of any malicious uses of this issue in customer networks.

April 8, 2025

On affected platforms running Arista EOS with secure Vxlan configured, restarting the Tunnelsec agent will result in packets being sent over the secure Vxlan tunnels in the clear.

Arista is not aware of any malicious uses of this issue in customer networks.

On affected platforms running Arista EOS with Traffic Policies configured the vulnerability will cause received untagged packets not to hit Traffic Policy rules that they are expected to hit. If the rule was to drop the packet, the packet will not be dropped and instead will be forwarded as if the rule was not in place. This could lead to packets being delivered to unexpected destinations.

This vulnerability is being tracked by BUG 992963

For both CVE-2025-1259 and CVE-2025-1260, on affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected.
CVE-2025-1259 can result in users retrieving data that should not have been available.
CVE-2025-1260 can result in unexpected configuration/operations being applied to the switch.
These issues were discovered internally, and Arista is unaware of any malicious uses of these issues in customer networks. These are similar types of authorization issues and are being released together due to their similarity.

The CVE-IDs tracking this issue: CVE-2025-1259 and CVE-2025-1260