CVE-2025-54549

Summary

Cryptographic validation of upgrade images could be circumventing by dropping a specifically crafted file into the upgrade ISO

Affected Software

VendorProductVersion RangeStatus
Arista NetworksDANZ Monitoring Fabric0affected
Arista NetworksDANZ Monitoring Fabric0 <= DMF 8.6.1affected
Arista NetworksDANZ Monitoring Fabric0 <= DMF 8.5.2affected
Arista NetworksDANZ Monitoring Fabric0 <= CCF 6.2.4affected
Arista NetworksDANZ Monitoring Fabric0 <= CVA 7.0affected
Arista NetworksDANZ Monitoring Fabric0 <= MCD 2.4.0affected

Weaknesses

  • CWE-347: CWE-347 Improper Verification of Cryptographic Signature

Workarounds

A downloaded upgrade image can be manually checked against the hash values published on arista.com https://www.arista.com/support/software-download . If the published hash values do not match those of the image this is a potential indicator of compromise.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References