Main Vulnerability Database Vulnerabilities #VU126167

Improper privilege management in Arista Extensible Operating System (EOS) and Arista CloudEOS VM - CVE-2025-5088

Published: April 15, 2026

Vulnerability identifier: #VU126167

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-5088

CWE-ID: CWE-269

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Arista Networks

Affected software:
Arista Extensible Operating System (EOS)
Arista CloudEOS VM

Detailed vulnerability description

The vulnerability allows a remote user to obtain full root access to all servers in the CVX cluster.

The vulnerability exists due to improper privilege management in the MCS Redis service when handling an authenticated Redis session. A remote user can use an authenticated Redis session to obtain full root access to all servers in the CVX cluster.

Only systems with the MCS service enabled are vulnerable, and Redis communication including authentication occurs over plaintext.

How to mitigate CVE-2025-5088

Install security update from vendor's website.

Sources

https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126

Improper privilege management in Arista Extensible Operating System (EOS) and Arista CloudEOS VM - CVE-2025-5088

Detailed vulnerability description

How to mitigate CVE-2025-5088

Sources

Please verify you're human