{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-3456","assignerOrgId":"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7","state":"PUBLISHED","assignerShortName":"Arista","dateReserved":"2025-04-08T21:38:05.413Z","datePublished":"2025-08-25T20:02:48.722Z","dateUpdated":"2025-08-25T20:31:54.730Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["EOS"],"product":"EOS","vendor":"Arista Networks","versions":[{"status":"affected","version":"4.34.0F","versionType":"custom"},{"lessThanOrEqual":"4.33.3F","status":"affected","version":"4.33.0","versionType":"custom"},{"lessThanOrEqual":"4.32.5M","status":"affected","version":"4.32.0","versionType":"custom"},{"lessThanOrEqual":"4.31.7M","status":"affected","version":"4.31.0","versionType":"custom"},{"lessThanOrEqual":"4.30.10M","status":"affected","version":"4.30.0","versionType":"custom"},{"lessThanOrEqual":"4.29.10M","status":"affected","version":"4.29.0","versionType":"custom"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

In order to be vulnerable to CVE-2025-3456, the following condition must be met:

The global custom encryption key must be configured:

switch#show running-config | sect management security\nmanagement security\n   password encryption-key common custom <key>

"}],"value":"In order to be vulnerable to CVE-2025-3456, the following condition must be met:\n\nThe global custom encryption key must be configured:\n\nswitch#show running-config | sect management security\nmanagement security\n   password encryption-key common custom "}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.
"}],"value":"On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships."}],"impacts":[{"capecId":"CAPEC-545","descriptions":[{"lang":"en","value":"CAPEC-545: Pull Data from System Resources"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":3.8,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-532","description":"CWE-532 Insertion of Sensitive Information into Log File","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7","shortName":"Arista","dateUpdated":"2025-08-25T20:02:48.722Z"},"references":[{"url":"https://https://www.arista.com/en/support/advisories-notices/security-advisory/22022-security-advisory-0122"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades

 
CVE-2025-3456 has been fixed in the following releases:
"}],"value":"The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\n \n\nCVE-2025-3456 has been fixed in the following releases:\n\n * 4.34.1F and later releases in the 4.34.x train\n * 4.33.4M and later releases in the 4.33.x train\n * 4.32.6M and later releases in the 4.32.x train\n * 4.31.8M and later releases in the 4.31.x train"}],"source":{"advisory":"122","defect":["BUG1114420"],"discovery":"INTERNAL"},"title":"On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-c","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"There is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience and afterwards rotate the custom global encryption-key.
"}],"value":"There is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience and afterwards rotate the custom global encryption-key."}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-08-25T20:31:37.034026Z","id":"CVE-2025-3456","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-08-25T20:31:54.730Z"}}]}}