Cyber Posture

CVE-2024-9132

HighRCE

Published: 10 January 2025

Published
10 January 2025
Modified
29 September 2025
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0059 69.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9132 is a high-severity Code Injection (CWE-94) vulnerability in Arista Ng Firewall. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates CWE-94 code injection by requiring validation of administrator inputs for captive portal scripts to prevent arbitrary code execution.

CM-6 Configuration Settings good match
prevent

Enforces secure configuration settings that prohibit insecure captive portal scripts, addressing the root cause of administrator-enabled vulnerabilities.

CM-7 Least Functionality partial match
prevent

Limits system functionality to essential capabilities, restricting or disabling configurable script features in captive portals to reduce injection risks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Direct remote code injection via misconfigured public-facing captive portal script enables arbitrary code execution (T1059) and exploitation of public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The administrator is able to configure an insecure captive portal script

Deeper analysisAI

CVE-2024-9132 is a high-severity vulnerability (CVSS 8.1, CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-94 (code injection), affecting Arista Networks software. It stems from the ability of administrators to configure an insecure captive portal script, potentially enabling arbitrary code execution.

Remote attackers with network access can exploit this vulnerability, requiring high attack complexity but no privileges or user interaction. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, allowing attackers to inject and execute malicious code through the misconfigured captive portal script.

Arista has issued Security Advisory-0105, available at https://www.arista.com/en/support/advisories-notices/security-advisory/20454-security-advisory-0105, which provides details on affected versions and recommended mitigations or patches.

Details

CWE(s)
CWE-94

Affected Products

arista
ng firewall
≤ 17.1.1

CVEs Like This One

CVE-2024-9134Same product: Arista Ng Firewall
CVE-2024-9188Same product: Arista Ng Firewall
CVE-2024-47519Same product: Arista Ng Firewall
CVE-2024-47520Same product: Arista Ng Firewall
CVE-2024-9131Same product: Arista Ng Firewall
CVE-2024-47518Same product: Arista Ng Firewall
CVE-2025-22906Shared CWE-94
CVE-2025-71281Shared CWE-94
CVE-2024-50658Shared CWE-94
CVE-2026-32525Shared CWE-94

References