Arista Fixes Critical CloudVision Portal Vulnerability with CVSS 10 Score

Arista Networks has released a critical security advisory detailing a severe vulnerability in its CloudVision Portal (CVP) software, tracked as CVE-2024-11186, carrying the highest possible CVSS score of 10.0. This flaw, if exploited, could enable a malicious authenticated user to perform broader actions on managed EOS devices than originally intended, potentially compromising entire network infrastructures.

“On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended,” Arista warned in the official advisory.

This vulnerability affects on-premise deployments of CloudVision Portal and does not impact CloudVision as-a-Service, significantly reducing the scope of exposure for cloud-hosted customers.

Arista confirms that a wide range of CVP software trains from 2017 through early 2024 are impacted. This includes:

• All releases in the 2023.x, 2022.x, 2021.x, 2020.x, 2019.x, 2018.x, and 2017.x trains
• Specific affected branches: 2024.3.0 and below, 2024.2.1 and below, 2024.1.2 and below
• Affected platforms include both virtual and physical appliances of CloudVision Portal.

For CVE-2024-11186 to be exploitable, an attacker must first be authenticated to the CloudVision system. While this mitigates the risk of external exploitation, the vulnerability still poses a serious insider threat, especially in environments with shared access or compromised accounts.

“A user must be able to authenticate with CloudVision” to exploit this issue, Arista notes.

Arista recommends checking internal logs for anomalous activity. Specifically, administrators should inspect:

• CVP logs starting with “Request to execute:”
• RADIUS/TACACS logs on managed EOS devices

These entries can help security teams identify unauthorized or suspicious commands executed via the compromised interface.

For those unable to immediately upgrade, Arista provides a temporary mitigation using an nginx configuration change:

location ^~ /cvpservice/di/ {
    return 404;
}

Follow this by restarting the nginx service using:

nginx-app.sh reload

This blocks access to the vulnerable endpoint and provides a stopgap until a full patch can be applied.

Arista has released remediated software in the following versions:

• 2025.1.0 and later in the 2025.1.x train
• 2024.3.1, 2024.2.2, and 2024.1.3 in their respective trains

Customers are strongly encouraged to upgrade to the latest available patch train for full protection.

Related Posts:

• Arista EOS: Critical Vulnerability Exposes Cleartext Transmission (CVE-2024-12378)
• Arista EOS Devices Vulnerable to Unauthorized Data Access and Configuration Changes (CVE-2025-1259 & CVE-2025-1260)
• Blockchain Platform EOS exposed High-Risk Security Vulnerabilities
• Data Breach at Okta Affects All Customer Support Users: Company Updates Scope