#VU126167 Improper privilege management in Arista Extensible Operating System (EOS) and Arista CloudEOS VM - CVE-2025-5088
Published: April 15, 2026
Vulnerability identifier: #VU126167
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-5088
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Arista Extensible Operating System (EOS)
Arista CloudEOS VM
Arista Extensible Operating System (EOS)
Arista CloudEOS VM
Software vendor:
Arista Networks
Arista Networks
Description
The vulnerability allows a remote user to obtain full root access to all servers in the CVX cluster.
The vulnerability exists due to improper privilege management in the MCS Redis service when handling an authenticated Redis session. A remote user can use an authenticated Redis session to obtain full root access to all servers in the CVX cluster.
Only systems with the MCS service enabled are vulnerable, and Redis communication including authentication occurs over plaintext.
Remediation
Install security update from vendor's website.