← Back
2026-06-05 15:58CVE-2025-5088Arista
PUBLISHED5.2CWE-269

Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session

An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.

Problem type

Affected products

Arista Networks

EOS / CloudVision eXchange (CVX)

<= 4.34.1F - AFFECTED

<= 4.33.4M - AFFECTED

<= 4.32.6M - AFFECTED

<= 4.31.8M - AFFECTED

< 4.31.0 - AFFECTED

References

arista.com

https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126

vendor-advisory

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-5088
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-5088",
    "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
    "assignerShortName": "Arista",
    "dateUpdated": "2026-06-05T15:58:15.288Z",
    "dateReserved": "2025-05-22T16:20:16.105Z",
    "datePublished": "2026-06-05T15:58:15.288Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
        "shortName": "Arista",
        "dateUpdated": "2026-06-05T15:58:15.288Z"
      },
      "datePublic": "2025-11-18T00:00:00.000Z",
      "title": "Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session",
      "descriptions": [
        {
          "lang": "en",
          "value": "An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.</p>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Arista Networks",
          "product": "EOS / CloudVision eXchange (CVX)",
          "platforms": [
            "CloudVision eXchange",
            "virtual or physical appliance"
          ],
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "4.34.0F",
              "status": "affected",
              "versionType": "custom",
              "lessThanOrEqual": "4.34.1F"
            },
            {
              "version": "4.33.0M",
              "status": "affected",
              "versionType": "custom",
              "lessThanOrEqual": "4.33.4M"
            },
            {
              "version": "4.32.0M",
              "status": "affected",
              "versionType": "custom",
              "lessThanOrEqual": "4.32.6M"
            },
            {
              "version": "4.31.0M",
              "status": "affected",
              "versionType": "custom",
              "lessThanOrEqual": "4.31.8M"
            },
            {
              "version": "4.30.0",
              "status": "affected",
              "versionType": "custom",
              "lessThan": "4.31.0"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-269: Improper Privilege Management",
              "cweId": "CWE-269",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22868-security-advisory-0126",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH"
          }
        },
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "In order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n  Status: Enabled\n  Supported versions: 1\n  \n  Switch    Status    Negotiated Version\n  ------    -------   ------------------\n  <Switch1> Enabled   1\n  \ncvx1#show running-config section mcs\ncvx\n   service mcs\n      redis password 7 03054902151B20\n      no shutdown\n\n\n\n\nIf MCS Service is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\ncvx1#show cvx service mcs\nMcs\n  Status: Disabled\n  Supported versions: 1\n  \n  Switch    Status     Negotiated Version\n  ------    --------   ------------------\n  <Switch1> Disabled",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>In order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured:</p>\n<pre><code>cvx1#show cvx service mcs\nMcs\n  Status: Enabled\n  Supported versions: 1\n  \n  Switch    Status    Negotiated Version\n  ------    -------   ------------------\n  &lt;Switch1&gt; Enabled   1\n  \ncvx1#show running-config section mcs\ncvx\n   service mcs\n      redis password 7 03054902151B20\n      no shutdown</code></pre>\n<p>If MCS Service is not configured there is no exposure to this issue and the message will look like:</p>\n<pre><code>cvx1#show cvx service mcs\nMcs\n  Status: Disabled\n  Supported versions: 1\n  \n  Switch    Status     Negotiated Version\n  ------    --------   ------------------\n  &lt;Switch1&gt; Disabled</code></pre>"
            }
          ]
        }
      ],
      "workarounds": [
        {
          "lang": "en",
          "value": "To run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.\n\n\n\nPlease ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.\n\nLog in to the CVX Server\n\n\n\nAccess your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.\n\nStop Redis Before Applying Changes\n\n\n\nIt is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.\n\n\n\nExecuting no redis password stops the Redis service by removing its authentication credentials, which prevents it from running.\n\n\n\ncvx>enable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#\n\nEdit the redis.service Systemd Service File\n\n\n\nThis step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.\n\n\n\nFirst, transition to bash mode from the CVX configuration prompt:\n\n\n\ncvx(config-cvx-mcs)#bash\n\n\n\nOnce in bash, use sudo nano to edit the redis.service file:\n\n\n\n[cvx ~]$sudo nano /etc/systemd/system/redis.service\n\nAdd 'User' and 'Group' Directives to the [Service] Section\n\n\n\nWithin the redis.service file, locate the [Service] section and add the following lines:\n\n\n\n[Service]\nUser=redis\nGroup=redis\n\n\n\nThis modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.\n\n\n\nSave and exit the editor.\n\nChange Ownership of the Redis Log File\n\n\n\nTo ensure the redis user has appropriate write permissions for its log file, change the ownership of /var/log/redis/redis.log to the redis user and group.\n\n\n\n[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log\n\n\n\nThis step is required for the Redis server to be able to write logs once it restarts under the new user and group.\n\nRestart the Redis with New Changes\n\n\n\nAfter making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.\n\n\n\nFirst, exit bash mode:\n\n\n\n[cvx ~]$exit\n\n\n\nThen, reconfigure the Redis password:\n\n\n\ncvx(config-cvx-mcs)#redis password <secret>\n\n\n\nReplace <secret> with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.\n\n\n\nNOTE: Following a CVX server reload or power cycle, all previously mentioned steps must be repeated.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>To run the redis-server as a dedicated \"redis\" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.</p><p>Please ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.</p><div><b>Log in to the CVX Server</b></div><p>Access your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.</p><div><b>Stop Redis Before Applying Changes</b></div><p>It is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.</p><p>Executing <i>no redis password</i> stops the Redis service by removing its authentication credentials, which prevents it from running.</p><pre>cvx&gt;enable\ncvx#config\ncvx(config)#cvx\ncvx(config-cvx)#service mcs\ncvx(config-cvx-mcs)#no redis password\ncvx(config-cvx-mcs)#</pre><div><b>Edit the redis.service Systemd Service File</b></div><p>This step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.</p><p>First, transition to bash mode from the CVX configuration prompt:</p><pre>cvx(config-cvx-mcs)#bash</pre><p>Once in bash, use <i>sudo nano</i> to edit the redis.service file:</p><pre>[cvx ~]$sudo nano /etc/systemd/system/redis.service</pre><div><b>Add 'User' and 'Group' Directives to the [Service] Section</b></div><p>Within the redis.service file, locate the [Service] section and add the following lines:</p><pre>[Service]\nUser=redis\nGroup=redis</pre><p>This modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.</p><p>Save and exit the editor.</p><div><b>Change Ownership of the Redis Log File</b></div><p>To ensure the redis user has appropriate write permissions for its log file, change the ownership of <i>/var/log/redis/redis.log</i> to the redis user and group.</p><pre>[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log</pre><p>This step is required for the Redis server to be able to write logs once it restarts under the new user and group.</p><div><b>Restart the Redis with New Changes</b></div><p>After making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.</p><p>First, exit bash mode:</p><pre>[cvx ~]$exit</pre><p>Then, reconfigure the Redis password:</p><pre>cvx(config-cvx-mcs)#redis password &lt;secret&gt;</pre><p>Replace <i>&lt;secret&gt;</i> with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.</p><p><b>NOTE:</b> Following a CVX server reload or power cycle, all previously mentioned steps must be repeated.</p>"
            }
          ]
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-5088 has been fixed in the following releases:\n\n  *  4.34.2F and later releases in the 4.34.x train\n  *  4.33.5M and later releases in the 4.33.x train\n  *  4.32.7M and later releases in the 4.32.x train\n  *  4.31.9M and later releases in the 4.31.x train",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see <a href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\">EOS User Manual: Upgrades and Downgrades</a></p><div>CVE-2025-5088 has been fixed in the following releases:</div><ul><li>4.34.2F and later releases in the 4.34.x train</li><li>4.33.5M and later releases in the 4.33.x train</li><li>4.32.7M and later releases in the 4.32.x train</li><li>4.31.9M and later releases in the 4.31.x train</li></ul>"
            }
          ]
        }
      ]
    }
  }
}