CVE-2025-0936
📋 TL;DR
Arista EOS devices with gNMI transport enabled may log or transmit remote server credentials when using the gNOI File TransferToRemote RPC. This affects organizations using Arista networking equipment with gNMI enabled for remote file transfers. The vulnerability exposes credentials that could be used for further attacks.
💻 Affected Systems
- Arista EOS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to remote server credentials, potentially compromising external systems, performing lateral movement, or accessing sensitive data on remote servers.
Likely Case
Credentials are exposed in logs accessible to administrators or monitoring systems, potentially leading to credential misuse if logs are not properly secured.
If Mitigated
With proper log security and access controls, credential exposure is limited to authorized personnel only, reducing the risk of misuse.
🎯 Exploit Status
Requires access to execute the gNOI RPC and knowledge of the vulnerability. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Arista security advisory for specific fixed versions
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisory/21394-security-advisory-0117
Restart Required: Yes
Instructions:
1. Review Arista security advisory 21394. 2. Identify affected EOS versions. 3. Upgrade to fixed EOS version. 4. Restart affected devices.
🔧 Temporary Workarounds
Disable gNMI transport
allDisable gNMI transport if not required for operations
no management api gnmi
Restrict gNOI RPC access
allLimit access to gNOI RPCs to trusted users only
management api gnmi
transport grpc default
no shutdown
vrf management
ip access-group ACL-NAME in
🧯 If You Can't Patch
- Implement strict access controls for gNMI/gNOI interfaces
- Monitor and secure logs containing credential information
🔍 How to Verify
Check if Vulnerable:
Check if gNMI is enabled and EOS version is vulnerable: show management api gnmiCheck Version:
show version | include Software image versionVerify Fix Applied:
Verify EOS version is patched: show version | include Software image version📡 Detection & Monitoring
Log Indicators:
- gNOI File TransferToRemote RPC executions in system logs
- Credential strings appearing in unexpected log locations
Network Indicators:
- Unusual gNMI/gNOI traffic patterns
- Multiple failed authentication attempts following gNOI operations
SIEM Query:
source="arista-eos" AND ("TransferToRemote" OR "gNOI")