CVE-2025-5089
Awaiting Analysis Awaiting Analysis - Queue
Denial of Service in Arista EOS Switch CVX Cluster

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: Arista Networks, Inc.

Description
In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2025-5089
EUVD
EUVD-2025-210075
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
arista eos *
arista cvx *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in a CVX cluster where an EOS switch connected to a CVX server is not resilient to certain malformed messages sent from the connected CVX server, and vice versa. These malformed messages can cause the Sysdb agent on the EOS device to crash, leading to a soft reset of the switch, or cause agent crashes on the CVX server, resulting in instability of the CVX cluster.

An attacker with high privilege access to the connected device could exploit this by sending custom TCP packets that trigger these crashes, potentially causing a denial of service (DoS) condition. EOS switches not connected to a CVX server are not affected.

Impact Analysis

The vulnerability can lead to denial of service (DoS) scenarios by causing crashes of critical agents on either the EOS switch or the CVX server. This results in a soft reset of the switch or instability in the CVX cluster, potentially disrupting network operations and availability.

However, exploitation requires the attacker to already have high privilege access to the connected device, limiting the attack surface to privileged insiders or compromised devices.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-5089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart