CVE-2025-2796
📋 TL;DR
Arista EOS devices with hardware IPSec support and anti-replay protection configured may forward duplicate encrypted packets instead of dropping them. This vulnerability affects platforms running specific Arista EOS versions with IPsec enabled. The issue does not impact VXLANSec or MACSec encryption.
💻 Affected Systems
- Arista EOS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could replay encrypted packets to bypass IPSec anti-replay protection, potentially causing data integrity issues or service disruption in sensitive network segments.
Likely Case
Limited impact on network integrity where duplicate packets might cause minor performance issues or unexpected behavior in applications relying on IPSec protection.
If Mitigated
With proper network segmentation and monitoring, impact is minimal as this doesn't allow data decryption or authentication bypass.
🎯 Exploit Status
Exploitation requires ability to capture and replay encrypted packets on the network path, plus specific configuration conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Arista advisory for specific fixed versions
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisory/21413-security-advisory-0119
Restart Required: Yes
Instructions:
1. Review Arista advisory for affected versions. 2. Upgrade to fixed EOS version. 3. Schedule maintenance window for reboot. 4. Verify IPSec functionality post-upgrade.
🔧 Temporary Workarounds
Disable anti-replay protection
allTemporarily disable IPSec anti-replay protection (reduces security but eliminates vulnerability)
no ipsec anti-replay
Use software IPSec
allConfigure IPSec to use software instead of hardware acceleration if supported
ipsec mode software
🧯 If You Can't Patch
- Implement network monitoring for unusual packet patterns in IPSec tunnels
- Segment IPSec traffic to limit potential impact scope
🔍 How to Verify
Check if Vulnerable:
Check EOS version and IPSec configuration: show version | include Software, show ipsecCheck Version:
show version | include SoftwareVerify Fix Applied:
Verify upgraded to fixed version and IPSec anti-replay is functioning: show version, show ipsec statistics📡 Detection & Monitoring
Log Indicators:
- Unusual IPSec packet drop/replay statistics
- Increased duplicate packet counts in IPSec logs
Network Indicators:
- Unexpected duplicate encrypted packets in IPSec tunnels
- Anomalous IPSec traffic patterns
SIEM Query:
source="arista-firewall" AND ("ipsec" AND ("duplicate" OR "replay"))