CVE-2025-5089
Denial of Service in Arista EOS Switch CVX Cluster
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: Arista Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arista | eos | * |
| arista | cvx | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in a CVX cluster where an EOS switch connected to a CVX server is not resilient to certain malformed messages sent from the connected CVX server, and vice versa. These malformed messages can cause the Sysdb agent on the EOS device to crash, leading to a soft reset of the switch, or cause agent crashes on the CVX server, resulting in instability of the CVX cluster.
An attacker with high privilege access to the connected device could exploit this by sending custom TCP packets that trigger these crashes, potentially causing a denial of service (DoS) condition. EOS switches not connected to a CVX server are not affected.
How can this vulnerability impact me? :
The vulnerability can lead to denial of service (DoS) scenarios by causing crashes of critical agents on either the EOS switch or the CVX server. This results in a soft reset of the switch or instability in the CVX cluster, potentially disrupting network operations and availability.
However, exploitation requires the attacker to already have high privilege access to the connected device, limiting the attack surface to privileged insiders or compromised devices.