SB2026062432 - Multiple vulnerabilities in Arista EOS



SB2026062432 - Multiple vulnerabilities in Arista EOS

Published: June 24, 2026

Security Bulletin ID SB2026062432
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Cleartext storage of sensitive information (CVE-ID: CVE-2026-11704)

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to stream unexpected data to CloudVision.

The vulnerability exists due to cleartext storage of sensitive information in the Streaming Telemetry Agent (TerminAttr) when streaming to CloudVision. A remote privileged user can access the stored data to stream unexpected data to CloudVision.

The agent must be configured to stream to CloudVision for exploitation.


2) Execution with unnecessary privileges (CVE-ID: CVE-2026-11705)

CWE-ID: CWE-250 - Execution with Unnecessary Privileges

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to modify system data.

The vulnerability exists due to execution with unnecessary privileges in the Streaming Telemetry Agent (TerminAttrRW) when processing a crafted set of packets. A remote user can send a crafted set of packets to modify system data.

Exploitation requires the agent to be active in a specific non-default configuration and configured to stream as TerminAttrRW.


3) Incorrect default permissions (CVE-ID: CVE-2026-52895)

CWE-ID: CWE-276 - Incorrect Default Permissions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to view and alter user credentials.

The vulnerability exists due to incorrect default permissions in the device when handling credential data for logged-in users. A local user can access and modify credential data to view and alter user credentials.

Exploitation is limited to users logged into the device.


4) Improper Certificate Validation (CVE-ID: CVE-2026-52896)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper certificate validation in the Streaming Telemetry Agent (TerminAttr) when using grpc tunnel. A remote attacker can present a certificate that is improperly validated to disclose sensitive information.

Only certain configurations using grpc tunnel are vulnerable.


5) Improper privilege management (CVE-ID: CVE-2026-52897)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform unauthorized operations.

The vulnerability exists due to improper privilege management in user privilege handling on the device when authenticated users access the system. A local user can obtain privilege levels that exceed intended restrictions to perform unauthorized operations.

The agent must be configured to stream to CloudVision for exploitation.


6) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2026-52898)

CWE-ID: CWE-668 - Exposure of resource to wrong sphere

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose unintended data.

The vulnerability exists due to exposure of resource to wrong sphere in the Streaming Telemetry Agent (TerminAttr) when processing a specifically designed sequence of packets. A remote user can send a specifically designed sequence of packets to disclose unintended data.

The agent must be configured to stream to CloudVision and run with the -cveapimode=queued flag.


Remediation

Install update from vendor's website.