{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-8873","assignerOrgId":"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7","state":"PUBLISHED","assignerShortName":"Arista","dateReserved":"2025-08-11T18:28:43.460Z","datePublished":"2026-06-04T23:04:56.535Z","dateUpdated":"2026-06-05T18:31:35.487Z"},"containers":{"cna":{"providerMetadata":{"orgId":"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7","shortName":"Arista","dateUpdated":"2026-06-04T23:04:56.535Z"},"title":"Arista EOS Dataplane Denial of Service via Malformed IPsec Packet","datePublic":"2026-06-04T22:53:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-1286","description":"CWE-1286: Improper Validation of Syntactic Correctness of Input","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-125","descriptions":[{"lang":"en","value":"CAPEC-125 Flooding"}]}],"affected":[{"vendor":"Arista Networks","product":"EOS","platforms":["7020SRG Series"],"versions":[{"status":"affected","version":"4.33.0M","lessThanOrEqual":"4.33.4M","versionType":"custom"},{"status":"affected","version":"4.32.0M","lessThanOrEqual":"4.32.6.1M","versionType":"custom"},{"status":"affected","version":"4.31.0M","lessThanOrEqual":"4.31.7.1M","versionType":"custom"},{"status":"affected","version":"4.30.0M","lessThanOrEqual":"4.30.10M","versionType":"custom"},{"status":"affected","version":"4.29.0M","lessThanOrEqual":"4.29.10.1M","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.</p>"}]}],"references":[{"url":"https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127","tags":["vendor-advisory"]}],"configurations":[{"lang":"en","value":"In order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\n\n\n\n\nswitch>show ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\n\n\n\n\nIf IPsec is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\nswitch>show ip security connection\nLegend: (P) policy based VPN tunnel.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>In order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:</p>\n<pre><code>switch&gt;show ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.</code></pre>\n<p>If IPsec is not configured there is no exposure to this issue and the message will look like:</p>\n<pre><code>switch&gt;show ip security connection\nLegend: (P) policy based VPN tunnel.</code></pre>"}]}],"workarounds":[{"lang":"en","value":"There are no mitigations for this vulnerability.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>There are no mitigations for this vulnerability.</p>"}]}],"solutions":[{"lang":"en","value":"The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see  https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal .\n\n\n\nThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\n\n\n\nswitch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n\n\n \n\n\n\nTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match ipsec-egress-padding-removal:\n\n\n\nswitch(config-tcam)#show hardware tcam profile\n                     Configuration            Status\nFixedSystem          ipsec-egress-padding-removal \nipsec-egress-padding-removal\n\n\n \n\n\n\n‘ipsec-egress-padding-removal’ differs from the ‘ipsec’ TCAM profile in two ways:\n\n  *  Egress IP ACLs are disabled\n  *  Fixes for BUG603398 and BUG1246592 are applied","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see&nbsp;<a href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\">EOS User Manual: Upgrades and Downgrades</a></p><div>CVE-2025-8873 has been fixed in the following releases:</div><ul><li>4.33.5M and later releases in the 4.33.x train</li><li>4.32.7M and later releases in the 4.32.x train</li></ul><p>After upgrading to a remediated version of software, the system TCAM profile must be changed to ipsec-egress-padding-removal:&nbsp;<a href=\"https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\" target=\"_blank\" rel=\"noopener noreferrer\">https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal</a>.</p><p>This may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.</p><pre>switch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n</pre><div>&nbsp;</div><p>To ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match&nbsp;<b>ipsec-egress-padding-removal</b>:</p><pre>switch(config-tcam)#show hardware tcam profile\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Configuration&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Status\nFixedSystem&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ipsec-egress-padding-removal \nipsec-egress-padding-removal\n</pre><div>&nbsp;</div><p>‘<b>ipsec-egress-padding-removal</b>’ differs from the ‘<b>ipsec</b>’ TCAM profile in two ways:</p><ul><li>Egress IP ACLs are disabled</li><li>Fixes for BUG603398 and BUG1246592 are applied</li></ul>"}]}],"source":{"defect":["BUG 1246592"],"advisory":"127","discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram"},"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}},{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"HIGH","baseScore":8.7,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-05T18:31:22.291972Z","id":"CVE-2025-8873","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-05T18:31:35.487Z"}}]}}