CVE-2025-5090
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) | 4.34.0F <= 4.34.1F | affected |
| Arista Networks | EOS / CloudVision eXchange (CVX) | 4.33.0M <= 4.33.4M | affected |
| Arista Networks | EOS / CloudVision eXchange (CVX) | 4.32.0M <= 4.32.6M | affected |
| Arista Networks | EOS / CloudVision eXchange (CVX) | 4.31.0 < 4.32.0 | affected |
| Arista Networks | EOS / CloudVision eXchange (CVX) | 4.30.0 < 4.31.0 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
Workarounds
There is no mitigation for this issue.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.