Skip to main content

CVE-2025-2796: cwe-284 in Arista Networks EOS

Medium
VulnerabilityCVE-2025-2796cvecve-2025-2796cwe-284
Published: Tue May 27 2025 (05/27/2025, 22:16:53 UTC)
Source: CVE Database V5
Vendor/Project: Arista Networks
Product: EOS

Description

On affected platforms with hardware IPSec support running Arista EOS with IPsec enabled and anti-replay protection configured, EOS may exhibit unexpected behavior in specific cases. Received duplicate encrypted packets, which should be dropped under normal anti-replay protection, will instead be forwarded due to this vulnerability. Note: this issue does not affect VXLANSec or MACSec encryption functionality.

AI-Powered Analysis

AILast updated: 07/06/2025, 01:27:17 UTC

Technical Analysis

CVE-2025-2796 is a medium-severity vulnerability affecting Arista Networks EOS version 4.33.0 on platforms with hardware IPSec support when IPsec is enabled and anti-replay protection is configured. The vulnerability arises because the EOS software incorrectly handles duplicate encrypted packets that should normally be dropped by the anti-replay mechanism. Instead of discarding these duplicate packets, the system forwards them, which constitutes a failure in enforcing proper access control (CWE-284). This behavior could allow an attacker to replay previously captured encrypted packets, potentially leading to unauthorized actions or information leakage depending on the network context. Importantly, this vulnerability does not affect VXLANSec or MACSec encryption functionalities, limiting its scope to IPsec traffic only. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with low complexity, no privileges or user interaction required, and limited impact confined to integrity (no confidentiality or availability impact). No known exploits are currently reported in the wild, and no patches have been linked yet. The issue was publicly disclosed on May 27, 2025, with the vulnerability reserved since March 25, 2025.

Potential Impact

For European organizations, especially those relying on Arista EOS devices with hardware IPsec support for secure site-to-site VPNs or encrypted network segments, this vulnerability could undermine the integrity of encrypted communications. Attackers capable of injecting or replaying duplicate encrypted packets might bypass replay protections, potentially causing unauthorized command execution or session manipulation within the network. While confidentiality and availability are not directly impacted, integrity violations could lead to subtle network disruptions or unauthorized data manipulation, which is critical in sectors such as finance, telecommunications, and government infrastructure. Since Arista EOS is widely used in data centers and enterprise networks across Europe, organizations using affected versions without mitigations may face increased risk of targeted replay attacks, especially in high-security environments where IPsec is a primary encryption method. The absence of known exploits reduces immediate risk, but the vulnerability's presence in core network infrastructure warrants prompt attention.

Mitigation Recommendations

European organizations should first inventory their network infrastructure to identify Arista EOS devices running version 4.33.0 with hardware IPsec and anti-replay protection enabled. Until a vendor patch is released, administrators should consider temporarily disabling IPsec anti-replay protection if operationally feasible and if it does not violate security policies, or alternatively, implement additional network-level protections such as ingress filtering and strict packet validation to detect and block replayed packets. Monitoring network traffic for unusual duplicate encrypted packets could help detect exploitation attempts. Network segmentation and limiting exposure of IPsec endpoints to untrusted networks can reduce attack surface. Organizations should maintain close contact with Arista Networks for timely patch releases and apply updates promptly once available. Additionally, reviewing and hardening IPsec configurations, including key management and replay window settings, may mitigate risk. Finally, integrating anomaly detection systems that can identify replay attacks at the network layer will provide an additional defense.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Arista
Date Reserved
2025-03-25T16:27:53.397Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68363c92182aa0cae227ff9f

Added to database: 5/27/2025, 10:28:34 PM

Last enriched: 7/6/2025, 1:27:17 AM

Last updated: 8/7/2025, 9:55:37 PM

Views: 19

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats