CVE-2025-1260
Published: 04 March 2025
Summary
CVE-2025-1260 is a critical-severity Improper Access Control (CWE-284) vulnerability in Arista EOS (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 directly enforces approved authorizations for access to system resources like gNOI requests, preventing execution when rejection is required due to improper access control.
AC-6 applies least privilege to privileged accounts, limiting the scope of unauthorized gNOI operations even for high-privilege (PR:H) attackers.
CM-5 restricts access to system components involved in configuration changes, mitigating unexpected configurations applied via crafted gNOI requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper access control flaw in the gNOI remote management service on Arista EOS, allowing a privileged remote attacker to bypass restrictions and apply unauthorized configurations/operations. This directly maps to exploitation of a remote service vulnerability.
NVD Description
On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in unexpected configuration/operations being applied to the switch.
Deeper analysisAI
CVE-2025-1260 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) affecting Arista EOS platforms with OpenConfig configured. It stems from improper access control (CWE-284), allowing a gNOI request to execute when it should be rejected. This flaw enables unexpected configurations or operations to be applied to the switch, potentially compromising its integrity and functionality. The vulnerability was published on 2025-03-04.
Exploitation requires high privileges (PR:H) and can be performed remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). A privileged attacker could send a crafted gNOI request that bypasses intended restrictions, leading to scope expansion (S:C) and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful exploitation could allow arbitrary configuration changes or operational disruptions on the affected switch.
Arista has issued a security advisory at https://www.arista.com/en/support/advisories-notices/security-advisory/21098-security-advisory-0111, which provides details on the vulnerability and recommended mitigations. Security practitioners should consult this advisory for patch information and workaround guidance specific to affected EOS versions.
Details
- CWE(s)