CVE-2025-5089: CWE-20: Improper Input Validation in Arista Networks EOS / CloudVision eXchange (CVX)
In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.
AI Analysis
Technical Summary
This vulnerability arises from improper input validation (CWE-20) in the communication between EOS switches and CVX servers in a CVX cluster. Malformed messages sent from either side can crash critical agents, causing soft resets of EOS switches or instability in the CVX cluster. The attack surface is limited to scenarios where an attacker already has high privilege access to a connected device, as they must send custom TCP packets to trigger the issue. Affected versions include EOS and CVX releases from 4.30.0 up to 4.34.0F. No cloud service is involved, and no known exploits are reported in the wild. The CVSS v3.1 base score is 6.5, reflecting a medium severity denial of service impact with network attack vector, low attack complexity, and required privileges.
Potential Impact
Successful exploitation results in denial of service by crashing the Sysdb agent on EOS devices, causing soft resets, or crashing agents on the CVX server, causing cluster instability. There is no impact on confidentiality or integrity. The vulnerability requires an attacker to have high privilege access to a connected device, limiting the risk to internal or already compromised environments.
Mitigation Recommendations
Currently, there is no official patch or remediation level provided by the vendor. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict high privilege access to devices connected in a CVX cluster and monitor for unusual agent crashes or instability. EOS switches not connected to a CVX server are not affected.
CVE-2025-5089: CWE-20: Improper Input Validation in Arista Networks EOS / CloudVision eXchange (CVX)
Description
In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted.
CVSS v3.1
Score 6.5medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from improper input validation (CWE-20) in the communication between EOS switches and CVX servers in a CVX cluster. Malformed messages sent from either side can crash critical agents, causing soft resets of EOS switches or instability in the CVX cluster. The attack surface is limited to scenarios where an attacker already has high privilege access to a connected device, as they must send custom TCP packets to trigger the issue. Affected versions include EOS and CVX releases from 4.30.0 up to 4.34.0F. No cloud service is involved, and no known exploits are reported in the wild. The CVSS v3.1 base score is 6.5, reflecting a medium severity denial of service impact with network attack vector, low attack complexity, and required privileges.
Potential Impact
Successful exploitation results in denial of service by crashing the Sysdb agent on EOS devices, causing soft resets, or crashing agents on the CVX server, causing cluster instability. There is no impact on confidentiality or integrity. The vulnerability requires an attacker to have high privilege access to a connected device, limiting the risk to internal or already compromised environments.
Mitigation Recommendations
Currently, there is no official patch or remediation level provided by the vendor. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict high privilege access to devices connected in a CVX cluster and monitor for unusual agent crashes or instability. EOS switches not connected to a CVX server are not affected.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Arista
- Date Reserved
- 2025-05-22T16:26:45.461Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a22fdf3e29bf47b50937305
Added to database: 6/5/2026, 4:48:51 PM
Last enriched: 6/5/2026, 5:04:38 PM
Last updated: 6/6/2026, 4:22:36 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.