Arista Networks, a leading provider of network switching solutions, has issued a security advisory warning of two vulnerabilities affecting its Extensible Operating System (EOS) software. The vulnerabilities, tracked as CVE-2025-1259 and CVE-2025-1260, could allow unauthorized access to sensitive data and enable attackers to make unauthorized configuration changes to vulnerable devices.
The vulnerabilities stem from issues with the OpenConfig implementation in Arista EOS. “For both CVE-2025-1259 and CVE-2025-1260, on affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected,” Arista stated in its advisory.
CVE-2025-1259 (CVSS 7.1) could allow attackers to retrieve data that should not be accessible, potentially exposing sensitive network information. CVE-2025-1260 (CVSS 9.1) could allow attackers to apply unexpected configuration changes or execute unauthorized operations on the switch, potentially disrupting network operations or compromising network security.
Arista EOS versions 4.33.1 and below, 4.32.3 and below, 4.31.5 and below, 4.30.8 and below, 4.29.9 and below, and 4.28.12 and below are affected by these vulnerabilities. A wide range of Arista EOS-based products are impacted, including the 710 Series, 720D Series, 720XP/722XPM Series, 750X Series, 7010 Series, 7010X Series, 7020R Series, 7130 Series running EOS, 7150 Series, 7160 Series, 7170 Series, 7050X/X2/X3/X4 Series, 7060X/X2/X4/X5/X6 Series, 7250X Series, 7260X/X3 Series, 7280E/R/R2/R3 Series, 7300X/X3 Series, 7320X Series, 7358X4 Series, 7368X4 Series, 7388X5 Series, 7500E/R/R2/R3 Series, 7800R3/R4 Series, 7700R4 Series, AWE 5000 and AWE 7200R Series, CloudEOS, CEOS-lab, and VEOS-lab.
Arista has released updated versions of EOS that address these vulnerabilities. Users are urged to upgrade to the latest versions of EOS as soon as possible.
For those who cannot immediately upgrade, Arista provides mitigation strategies to reduce the risk of exploitation. These include disabling the OpenConfig agent or configuring gNSI authorization to block specific gNOI RPCs.
Arista emphasizes that these vulnerabilities were discovered internally, and they are not aware of any malicious exploitation in customer networks. However, it is crucial for users of affected devices to take immediate action to protect their networks from potential attacks.
