CVE-2025-0505
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Summary
On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | CloudVision Portal | 2024.2.0 <= 2024.2.1 | affected |
| Arista Networks | CloudVision Portal | 2024.3.0 | affected |
Weaknesses
- CWE-269: CWE-269 Improper Privilege Management
Workarounds
The ZTP component on CloudVision (on-premise) can be disabled by running the following on any of the nodes of the CloudVision deployment (Note that this will disable the Zero Touch Provisioning feature on CloudVision):
cvpi disable ztp cvpi stop ztp
The following command can be used to verify that the component is stopped:
cvpi status ztp
Executing command. This may take some time… Completed 1/1 discovered actions primary components total:1 running:0 disabled:1
The component may be enabled after upgrading to one the remediated software versions (See Resolution https://www.arista.com/en/support/advisories-notices/security-advisory/21315-security-advisory-0115#pageLink-1 ) using the following commands:
cvpi enable ztp cvpi start ztp
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.