CVE-2025-5090
CVX Cluster DoS via Malicious Switch Messages
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: Arista Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arista | cvx | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that only highly privileged and trusted users have access to the connected switch, as the attacker requires high privilege to send custom TCP packets to the CVX.
Additionally, monitor and restrict unexpected or custom TCP traffic from the connected switch to the CVX to prevent potential denial of service attacks.
How can this vulnerability impact me? :
The primary impact of this vulnerability is the potential for denial of service (DoS) attacks against the CVX cluster.
If exploited, the CVX agent crashes and the cluster becomes unstable, which could disrupt network operations relying on CVX.
However, exploitation requires the attacker to have high privilege access to the connected switch, which limits the attack surface.
Can you explain this vulnerability to me?
This vulnerability occurs because CVX is not resilient to unexpected messages from a connected switch. When such unexpected messages are received, the CVX agent crashes, causing instability in the CVX cluster.
An attacker with high privilege access to the connected switch could exploit this by sending custom TCP packets to CVX, triggering these crashes.
This behavior can be used to create a denial of service (DoS) scenario against the CVX cluster.