Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-2826

Summary
Assigner-Arista
Assigner Org ID-c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7
Published At-27 May, 2025 | 22:22
Updated At-28 May, 2025 | 13:34
Rejected At-
Credits

n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets.

n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are: * Packets which should be permitted may be dropped and, * Packets which should be dropped may be permitted.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Arista
Assigner Org ID:c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7
Published At:27 May, 2025 | 22:22
Updated At:28 May, 2025 | 13:34
Rejected At:
▼CVE Numbering Authority (CNA)
n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets.

n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are: * Packets which should be permitted may be dropped and, * Packets which should be dropped may be permitted.

Affected Products
Vendor
Arista Networks, Inc.Arista Networks
Product
EOS
Platforms
  • EOS
Default Status
unaffected
Versions
Affected
  • 4.33.2F (custom)
Problem Types
TypeCWE IDDescription
CWECWE-1284CWE-1284 Improper Validation of Specified Quantity in Input
Type: CWE
CWE ID: CWE-1284
Description: CWE-1284 Improper Validation of Specified Quantity in Input
Metrics
VersionBase scoreBase severityVector
3.12.6LOW
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 2.6
Base severity: LOW
Vector:
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-1CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC ID: CAPEC-1
Description: CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
Solutions

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades CVE-2025-2826 has been fixed in the following releases: * 4.33.2.1F, 4.33.3F and later releases in the 4.33.x train

Configurations

In order to be vulnerable to CVE-2025-2826, the following condition must be met: IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL must be configured and active on more than one Ethernet interfaces or one or more LAG interfaces. The output of CLI show commands will look similar to the following: switch> show ip access-lists summary Phone ACL bypass: disabled IPV4 ACL default-control-plane-acl [readonly]         Total rules configured: 27         Configured on Ingress: control-plane(default VRF)         Active on     Ingress: control-plane(default VRF) IPV4 ACL ipv4ACL         Total rules configured: 2         Configured on Ingress: Et18/1         Active on     Ingress: Et18/1   or switch>show mac access-lists summary MAC ACL macAcl         Total rules configured: 2         Configured on Ingress: Et18/1         Active on     Ingress: Et18/1   or switch>show ipv6 access-lists summary Phone ACL bypass: disabled IPV6 ACL default-control-plane-acl [readonly]         Total rules configured: 27         Configured on Ingress: control-plane(default VRF)         Active on     Ingress: control-plane(default VRF) Standard IPV6 ACL ipv6StandardACL         Total rules configured: 2         Configured on Ingress: Et21/1         Active on     Ingress: Et21/1   If IPv4 Ingress ACL or MAC Ingress ACL or IPv6 standard Ingress ACL are not configured or are not active on any Ethernet interface or LAG interfaces there is no exposure to this issue and the CLI show command output have no active interfaces˜ listed, similar to the following: switch> show ip access-lists summary Phone ACL bypass: disabled IPV4 ACL default-control-plane-acl [readonly]         Total rules configured: 27         Configured on Ingress: control-plane(default VRF)         Active on     Ingress: control-plane(default VRF)   or switch>show mac access-lists summary   or switch>show ipv6 access-lists summary Phone ACL bypass: disabled IPV6 ACL default-control-plane-acl [readonly]         Total rules configured: 27         Configured on Ingress: control-plane(default VRF)         Active on     Ingress: control-plane(default VRF)

Workarounds

No workaround is available. Ingress ACLs may be applied as egress, if resources permit and the policy is applicable.

Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.arista.com/en/support/advisories-notices/security-advisory/21414-security-advisory-0120
N/A
Hyperlink: https://www.arista.com/en/support/advisories-notices/security-advisory/21414-security-advisory-0120
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@arista.com
Published At:27 May, 2025 | 23:15
Updated At:28 May, 2025 | 15:01

n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are: * Packets which should be permitted may be dropped and, * Packets which should be dropped may be permitted.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.12.6LOW
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 2.6
Base severity: LOW
Vector:
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-1284Secondarypsirt@arista.com
CWE ID: CWE-1284
Type: Secondary
Source: psirt@arista.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.arista.com/en/support/advisories-notices/security-advisory/21414-security-advisory-0120psirt@arista.com
N/A
Hyperlink: https://www.arista.com/en/support/advisories-notices/security-advisory/21414-security-advisory-0120
Source: psirt@arista.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2024-9448
Matching Score-6
Assigner-Arista Networks, Inc.
ShareView Details
Matching Score-6
Assigner-Arista Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-0.09% / 25.72%
||
7 Day CHG~0.00%
Published-08 May, 2025 | 19:14
Updated-25 Aug, 2025 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
On affected platforms running Arista EOS with Traffic Policies configured the vulnerability will cause received untagged packets not to hit Traffic Policy rules that they are expected to hit. If the rule was to drop the packet, the packet will not be dropp

On affected platforms running Arista EOS with Traffic Policies configured the vulnerability will cause received untagged packets not to hit Traffic Policy rules that they are expected to hit. If the rule was to drop the packet, the packet will not be dropped and instead will be forwarded as if the rule was not in place. This could lead to packets being delivered to unexpected destinations.

Action-Not Available
Vendor-Arista Networks, Inc.
Product-EOS
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2024-8000
Matching Score-6
Assigner-Arista Networks, Inc.
ShareView Details
Matching Score-6
Assigner-Arista Networks, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 10.10%
||
7 Day CHG~0.00%
Published-04 Mar, 2025 | 20:20
Updated-04 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restar

On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. Note: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.

Action-Not Available
Vendor-Arista Networks, Inc.
Product-EOS
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2021-28510
Matching Score-6
Assigner-Arista Networks, Inc.
ShareView Details
Matching Score-6
Assigner-Arista Networks, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.57% / 67.91%
||
7 Day CHG~0.00%
Published-24 Jan, 2023 | 00:00
Updated-01 Apr, 2025 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable.

For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable.

Action-Not Available
Vendor-Arista Networks, Inc.
Product-7060sx2-48yc67050qx-32s7304x37150s-647500r27260qx7500r3-36cq7300x-64t7800r3k-48cq7060cx-32s7328x7500r37300x-64s7250qx-647050sx3-48yc7050sx3-48yc87060dx4-32720xp-24y67280sr3k-48yc87300x3-32c7260cx7150s-247320x-32c7512r3720xp-24zy47260cx37170-64c7804r37050sx-72q7280e7050cx3-32s7050sx2-72qeos7150sc-247050sx2-1287260cx3-647504r37020r7150s-527300x3-48yc47050sx-647170-32c720xp-48zc2720xp-96zc27050sx3-48yc12720xp-48y67500r3-24d7500r3-24p7800r3-48cq7300x-32q7500r7170-32cd7050cx3m-32s7368x47050sx-1287050tx-647050tx3-48c87050tx-72q7060px4-327280r37150sc-647280r7060cx2-32s7050tx-487050qx2-32s7500r3k-36cq7508r37500e7800r3-36p7808r37050tx2-1287308x37050sx3-96yc87280r27324x7050sx3-48c87280sr3-48yc8EOS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
Details not found