CVE-2025-5090

Summary

CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS / CloudVision eXchange (CVX)4.34.0F <= 4.34.1Faffected
Arista NetworksEOS / CloudVision eXchange (CVX)4.33.0M <= 4.33.4Maffected
Arista NetworksEOS / CloudVision eXchange (CVX)4.32.0M <= 4.32.6Maffected
Arista NetworksEOS / CloudVision eXchange (CVX)4.31.0 < 4.32.0affected
Arista NetworksEOS / CloudVision eXchange (CVX)4.30.0 < 4.31.0affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation

Workarounds

There is no mitigation for this issue.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References