Cyber Resilience

CVE-2024-9132

HighRCE

Published: 10 January 2025

Published
10 January 2025
Modified
29 September 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0081 74.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9132 is a high-severity Code Injection (CWE-94) vulnerability in Arista Ng Firewall. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-9132 is a high-severity vulnerability (CVSS 8.1, CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-94 (code injection), affecting Arista Networks software. It stems from the ability of administrators to configure an insecure captive portal script, potentially enabling arbitrary code execution.

Remote attackers with network access can exploit this vulnerability, requiring high attack complexity but no privileges or user interaction. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, allowing attackers to inject and execute malicious code through the misconfigured captive portal script.

Arista has issued Security Advisory-0105, available at https://www.arista.com/en/support/advisories-notices/security-advisory/20454-security-advisory-0105, which provides details on affected versions and recommended mitigations or patches.

EU & UK References

Vulnerability details

The administrator is able to configure an insecure captive portal script

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct remote code injection via misconfigured public-facing captive portal script enables arbitrary code execution (T1059) and exploitation of public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-9134Same product: Arista Ng Firewall
CVE-2024-9188Same product: Arista Ng Firewall
CVE-2024-9131Same product: Arista Ng Firewall
CVE-2024-47519Same product: Arista Ng Firewall
CVE-2024-47518Same product: Arista Ng Firewall
CVE-2024-47520Same product: Arista Ng Firewall
CVE-2026-27577Shared CWE-94
CVE-2024-54756Shared CWE-94
CVE-2024-21760Shared CWE-94
CVE-2024-55028Shared CWE-94

Affected Assets

arista
ng firewall
≤ 17.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CWE-94 code injection by requiring validation of administrator inputs for captive portal scripts to prevent arbitrary code execution.

prevent

Enforces secure configuration settings that prohibit insecure captive portal scripts, addressing the root cause of administrator-enabled vulnerabilities.

prevent

Limits system functionality to essential capabilities, restricting or disabling configurable script features in captive portals to reduce injection risks.

References