Arista EOS ACL Enforcement Bypass Vulnerability (CVE-2025-2826) Advisory

Key Information Vulnerability Overview CVE ID: CVE-2025-2826 CVSSv3.1 Base Score: 2.9 (CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) Current Weakness Enumeration: CWE-284 Improper Access Control Tracking Number: BUG 75539B Description When running Arista EOS on affected platforms, ACL policies may fail to enforce. Enabling IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL on one or more LAG interfaces may result in ACL policies not being enforced on ingress packets. This may lead to the following issues: 1. Packets that should be allowed may be dropped. 2. Packets that should be dropped may be allowed. This issue was discovered internally. Arista is not aware of any malicious exploitation of this issue in customer networks. Affected Software EOS Versions: 4.33.2.x versions in the 4.33.x mainline Affected Platforms Arista EOS-based Products: 70XX Series Configuration Requirements for Exploitation To be vulnerable to CVE-2025-2826, the following conditions must be met: IPv4 ingress ACL, MAC ingress表 ingress ACL, or IPv6 standard ingress ACL must be configured and activated on more than one Ethernet interface or more than one LAG interface. Indicators of Compromise This vulnerability may result in unintended ACL behavior. Examples include: ACL drops inbound traffic that should be allowed. No ACL drops inbound traffic that should be denied, allowing traffic to reach the device unexpectedly. Mitigation No workarounds are available. If resources permit and policy allows, ingress ACLs can be applied as egress ACLs. Solution The recommended solution is to upgrade to a patched software version that resolves this vulnerability. Arista recommends customers upgrade as soon as possible to the latest version of each release, which includes all the listed files. Hotfix No hotfix is available. Please upgrade to a version containing the fix for this bug, or downgrade to an earlier supported EOS version.

Goal Reached Thanks to every supporter — we hit 100%!

Arista EOS ACL Enforcement Bypass Vulnerability (CVE-2025-2826) Advisory