CVE-2025-1260
📋 TL;DR
This vulnerability allows unauthorized gNOI requests to bypass security controls on Arista EOS devices with OpenConfig enabled, potentially enabling attackers to modify switch configurations or execute unauthorized operations. It affects Arista switches running vulnerable EOS versions with OpenConfig configured.
💻 Affected Systems
- Arista EOS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete network compromise through unauthorized configuration changes, service disruption, or data interception via malicious switch reconfiguration.
Likely Case
Unauthorized configuration changes leading to network instability, service outages, or security policy bypass.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized gNOI access.
🎯 Exploit Status
Exploitation requires network access to gNOI service and knowledge of gNOI protocol
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Arista advisory for fixed EOS versions
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisory/21098-security-advisory-0111
Restart Required: Yes
Instructions:
1. Review Arista advisory for fixed EOS versions. 2. Schedule maintenance window. 3. Backup configuration. 4. Upgrade to fixed EOS version. 5. Verify functionality post-upgrade.
🔧 Temporary Workarounds
Disable OpenConfig
allRemove OpenConfig configuration if not required for operations
no openconfig
Restrict gNOI Access
allImplement ACLs to restrict access to gNOI service
management access-list standard RESTRICT_GNOMI
permit host <trusted_host>
deny any
management api gNMI
access-group RESTRICT_GNOMI in
🧯 If You Can't Patch
- Implement strict network segmentation to isolate management interfaces
- Enable comprehensive logging and monitoring for gNOI access attempts
🔍 How to Verify
Check if Vulnerable:
Check if OpenConfig is configured: 'show running-config | include openconfig' and verify EOS version against advisoryCheck Version:
show versionVerify Fix Applied:
Verify upgraded to fixed EOS version: 'show version' and confirm OpenConfig functionality if required📡 Detection & Monitoring
Log Indicators:
- Unauthorized gNOI access attempts
- Unexpected configuration changes via gNOI
Network Indicators:
- Unusual gNOI traffic patterns
- gNOI requests from unauthorized sources
SIEM Query:
source="arista-switch" AND (event="gNOI" OR protocol="gNOI") AND NOT src_ip IN [trusted_management_ips]