{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-2826","assignerOrgId":"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7","state":"PUBLISHED","assignerShortName":"Arista","dateReserved":"2025-03-26T16:02:22.894Z","datePublished":"2025-05-27T22:22:51.717Z","dateUpdated":"2025-05-28T13:34:08.151Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["EOS"],"product":"EOS","vendor":"Arista Networks","versions":[{"status":"affected","version":"4.33.2F","versionType":"custom"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

In order to be vulnerable to CVE-2025-2826, the following condition must be met: IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL must be configured and active on more than one Ethernet interfaces or one or more LAG interfaces. The output of CLI show commands will look similar to the following:

switch> show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n        Total rules configured: 27\n        Configured on Ingress: control-plane(default VRF)\n        Active on     Ingress: control-plane(default VRF)\n \nIPV4 ACL ipv4ACL\n        Total rules configured: 2\n        Configured on Ingress: Et18/1\n        Active on     Ingress: Et18/1\n
 

or

switch>show mac access-lists summary\nMAC ACL macAcl\n        Total rules configured: 2\n        Configured on Ingress: Et18/1\n        Active on     Ingress: Et18/1\n
 

or

switch>show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n        Total rules configured: 27\n        Configured on Ingress: control-plane(default VRF)\n        Active on     Ingress: control-plane(default VRF)\n \nStandard IPV6 ACL ipv6StandardACL\n        Total rules configured: 2\n        Configured on Ingress: Et21/1\n        Active on     Ingress: Et21/1\n
 

If IPv4 Ingress ACL or MAC Ingress ACL or IPv6 standard Ingress ACL are not configured or are not active on any Ethernet interface or LAG interfaces there is no exposure to this issue and the CLI show command output have no active interfaces˜ listed, similar to the following:

switch> show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n        Total rules configured: 27\n        Configured on Ingress: control-plane(default VRF)\n        Active on     Ingress: control-plane(default VRF)\n
 

or

switch>show mac access-lists summary\n
 

or

switch>show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n        Total rules configured: 27\n        Configured on Ingress: control-plane(default VRF)\n        Active on     Ingress: control-plane(default VRF)\n


"}],"value":"In order to be vulnerable to CVE-2025-2826, the following condition must be met: IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL must be configured and active on more than one Ethernet interfaces or one or more LAG interfaces. The output of CLI show commands will look similar to the following:\n\nswitch> show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n        Total rules configured: 27\n        Configured on Ingress: control-plane(default VRF)\n        Active on     Ingress: control-plane(default VRF)\n \nIPV4 ACL ipv4ACL\n        Total rules configured: 2\n        Configured on Ingress: Et18/1\n        Active on     Ingress: Et18/1\n\n\n \n\nor\n\nswitch>show mac access-lists summary\nMAC ACL macAcl\n        Total rules configured: 2\n        Configured on Ingress: Et18/1\n        Active on     Ingress: Et18/1\n\n\n \n\nor\n\nswitch>show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n        Total rules configured: 27\n        Configured on Ingress: control-plane(default VRF)\n        Active on     Ingress: control-plane(default VRF)\n \nStandard IPV6 ACL ipv6StandardACL\n        Total rules configured: 2\n        Configured on Ingress: Et21/1\n        Active on     Ingress: Et21/1\n\n\n \n\nIf IPv4 Ingress ACL or MAC Ingress ACL or IPv6 standard Ingress ACL are not configured or are not active on any Ethernet interface or LAG interfaces there is no exposure to this issue and the CLI show command output have no active interfaces˜ listed, similar to the following:\n\nswitch> show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n        Total rules configured: 27\n        Configured on Ingress: control-plane(default VRF)\n        Active on     Ingress: control-plane(default VRF)\n\n\n \n\nor\n\nswitch>show mac access-lists summary\n\n\n \n\nor\n\nswitch>show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n        Total rules configured: 27\n        Configured on Ingress: control-plane(default VRF)\n        Active on     Ingress: control-plane(default VRF)"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are:

  1. Packets which should be permitted may be dropped and,
  2. Packets which should be dropped may be permitted.

"}],"value":"n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are:\n\n * Packets which should be permitted may be dropped and,\n * Packets which should be dropped may be permitted."}],"impacts":[{"capecId":"CAPEC-1","descriptions":[{"lang":"en","value":"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"ADJACENT_NETWORK","availabilityImpact":"NONE","baseScore":2.6,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1284","description":"CWE-1284 Improper Validation of Specified Quantity in Input","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7","shortName":"Arista","dateUpdated":"2025-05-27T22:22:51.717Z"},"references":[{"url":"https://www.arista.com/en/support/advisories-notices/security-advisory/21414-security-advisory-0120"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades

CVE-2025-2826 has been fixed in the following releases:

"}],"value":"The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-2826 has been fixed in the following releases:\n\n * 4.33.2.1F, 4.33.3F and later releases in the 4.33.x train"}],"source":{"advisory":"SA120","defect":["BUG 795398"],"discovery":"INTERNAL"},"title":"n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets.","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"No workaround is available. Ingress ACLs may be applied as egress, if resources permit and the policy is applicable.
"}],"value":"No workaround is available. Ingress ACLs may be applied as egress, if resources permit and the policy is applicable."}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-05-28T13:33:59.901353Z","id":"CVE-2025-2826","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-28T13:34:08.151Z"}}]}}