CVE-2025-0505

Summary

On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksCloudVision Portal2024.2.0 <= 2024.2.1affected
Arista NetworksCloudVision Portal2024.3.0affected

Weaknesses

  • CWE-269: CWE-269 Improper Privilege Management

Workarounds

The ZTP component on CloudVision (on-premise) can be disabled by running the following on any of the nodes of the CloudVision deployment (Note that this will disable the Zero Touch Provisioning feature on CloudVision):

cvpi disable ztp cvpi stop ztp

 

The following command can be used to verify that the component is stopped:

cvpi status ztp

Executing command. This may take some time… Completed 1/1 discovered actions primary components total:1 running:0 disabled:1

 

The component may be enabled after upgrading to one the remediated software versions (See  Resolution https://www.arista.com/en/support/advisories-notices/security-advisory/21315-security-advisory-0115#pageLink-1 ) using the following commands:

cvpi enable ztp cvpi start ztp

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References