Arista reports flaws in Arista EOS, one critical
Take action: If you are running Arista Networks devices with EOS operating system, review the advisory in detail. First check if it's possible for you to isolate devices from the internet and accessible only from trusted networks. If yes, do that first. Then either patch outright or disable request types or the entire OpenConfig agent.
Learn More
Arista Networks has recently disclosed two critical security vulnerabilities affecting their EOS (Extensible Operating System) network operating system, which powers a wide range of their networking equipment.
The vulnerabilities involve authentication bypass issues that could potentially allow attackers to gain unauthorized access to sensitive data or make dangerous configuration changes to affected devices.
- CVE-2025-1260,(CVSS score 9.1) enables attackers to manipulate device configurations by sending specially crafted gNOI (gRPC Network Operations Interface) requests that should normally be rejected.
- CVE-2025-1259 (CVSS score 7.1) allows unauthorized users to access restricted data through similar means. Both vulnerabilities stem from improper access control mechanisms (CWE-284) in how the system handles certain network management requests.
Tese vulnerabilities only affect systems with the OpenConfig management option enabled, so not all Arista customers are at risk. The company discovered these issues internally during security audits and states there are currently no known instances of these vulnerabilities being exploited in the wild..
Arista has released patches for these vulnerabilities in several updated versions of their EOS software, including 4.28.13, 4.29.10, 4.30.9, 4.31.6, 4.32.4, and 4.33.2.
Network administrators who can't immediately apply these updates, Arista proposes temporary mitigation by disabling specific request types or the entire OpenConfig agent.
They've also published detailed hotfix packages for administrators who need targeted remediation without performing a full system upgrade.
