CVE-2024-12829 is an OS command injection vulnerability identified in the ExecManagerImpl class of Arista NG Firewall version 17.1.1. The root cause is improper neutralization of special elements in user-supplied input, which is used directly in system calls without adequate validation or sanitization. This flaw allows an authenticated remote attacker to inject arbitrary OS commands that execute with root privileges, leading to full system compromise. The vulnerability was reported by the Zero Day Initiative (ZDI) as ZDI-CAN-24015 and published on December 20, 2024. The CVSS v3.0 base score is 7.2, reflecting high severity with network attack vector, low attack complexity, and required privileges but no user interaction. The scope is unchanged, meaning the impact is confined to the vulnerable component but with high confidentiality, integrity, and availability impacts. No public exploits have been reported yet, but the potential for remote code execution makes this a critical concern for organizations relying on Arista NG Firewall for network security. The vulnerability underscores the importance of input validation in security-critical components that execute system commands.

Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands as root on the affected firewall, leading to complete compromise of the device. This can result in unauthorized access to sensitive network traffic, manipulation or disruption of firewall policies, and potential lateral movement within the network. The confidentiality of data passing through the firewall can be breached, integrity of network controls can be undermined, and availability of the firewall service can be disrupted or denied. Given the firewall’s role as a critical security boundary, this vulnerability poses a significant risk to organizational network security and could facilitate further attacks against internal systems.

Organizations should immediately verify if they are running Arista NG Firewall version 17.1.1 and prioritize upgrading to a patched version once available. Until a patch is released, restrict administrative access to the firewall to trusted personnel and networks only, employing network segmentation and strong authentication controls. Monitor firewall logs for unusual command execution or administrative activity. Implement strict input validation and command execution policies where possible. Consider deploying additional network-level protections such as intrusion detection/prevention systems (IDS/IPS) to detect anomalous behavior. Regularly audit firewall configurations and access controls to minimize the risk of credential compromise. Engage with Arista support for any available workarounds or hotfixes and subscribe to vendor advisories for updates.