CVE-2025-2796 is a medium-severity vulnerability affecting Arista Networks EOS version 4.33.0 on platforms with hardware IPSec support when IPsec is enabled and anti-replay protection is configured. The vulnerability arises because the EOS software incorrectly handles duplicate encrypted packets that should normally be dropped by the anti-replay mechanism. Instead of discarding these duplicate packets, the system forwards them, which constitutes a failure in enforcing proper access control (CWE-284). This behavior could allow an attacker to replay previously captured encrypted packets, potentially leading to unauthorized actions or information leakage depending on the network context. Importantly, this vulnerability does not affect VXLANSec or MACSec encryption functionalities, limiting its scope to IPsec traffic only. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with low complexity, no privileges or user interaction required, and limited impact confined to integrity (no confidentiality or availability impact). No known exploits are currently reported in the wild, and no patches have been linked yet. The issue was publicly disclosed on May 27, 2025, with the vulnerability reserved since March 25, 2025.

For European organizations, especially those relying on Arista EOS devices with hardware IPsec support for secure site-to-site VPNs or encrypted network segments, this vulnerability could undermine the integrity of encrypted communications. Attackers capable of injecting or replaying duplicate encrypted packets might bypass replay protections, potentially causing unauthorized command execution or session manipulation within the network. While confidentiality and availability are not directly impacted, integrity violations could lead to subtle network disruptions or unauthorized data manipulation, which is critical in sectors such as finance, telecommunications, and government infrastructure. Since Arista EOS is widely used in data centers and enterprise networks across Europe, organizations using affected versions without mitigations may face increased risk of targeted replay attacks, especially in high-security environments where IPsec is a primary encryption method. The absence of known exploits reduces immediate risk, but the vulnerability's presence in core network infrastructure warrants prompt attention.

European organizations should first inventory their network infrastructure to identify Arista EOS devices running version 4.33.0 with hardware IPsec and anti-replay protection enabled. Until a vendor patch is released, administrators should consider temporarily disabling IPsec anti-replay protection if operationally feasible and if it does not violate security policies, or alternatively, implement additional network-level protections such as ingress filtering and strict packet validation to detect and block replayed packets. Monitoring network traffic for unusual duplicate encrypted packets could help detect exploitation attempts. Network segmentation and limiting exposure of IPsec endpoints to untrusted networks can reduce attack surface. Organizations should maintain close contact with Arista Networks for timely patch releases and apply updates promptly once available. Additionally, reviewing and hardening IPsec configurations, including key management and replay window settings, may mitigate risk. Finally, integrating anomaly detection systems that can identify replay attacks at the network layer will provide an additional defense.