CVE-2025-8873 (GCVE-0-2025-8873)
Vulnerability from cvelistv5
Published
2026-06-04 23:04
Modified
2026-06-05 18:31
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-1286 - Improper Validation of Syntactic Correctness of Input
Summary
On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arista Networks | EOS |
Version: 4.33.0M < Version: 4.32.0M < Version: 4.31.0M < Version: 4.30.0M < Version: 4.29.0M < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:31:22.291972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:31:35.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"7020SRG Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6.1M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.7.1M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.10M",
"status": "affected",
"version": "4.30.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.10.1M",
"status": "affected",
"version": "4.29.0M",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf IPsec is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\nLegend: (P) policy based VPN tunnel.\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\n\n\n\n\nswitch\u003eshow ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\n\n\n\n\nIf IPsec is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\nswitch\u003eshow ip security connection\nLegend: (P) policy based VPN tunnel."
}
],
"datePublic": "2026-06-04T22:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.\u003c/p\u003e"
}
],
"value": "On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer."
}
],
"impacts": [
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1286",
"description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T23:04:56.535Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-8873 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAfter upgrading to a remediated version of software, the system TCAM profile must be changed to ipsec-egress-padding-removal:\u0026nbsp;\u003ca href=\"https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\" target=\"_blank\" rel=\"noopener noreferrer\"\u003ehttps://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\u003c/p\u003e\u003cpre\u003eswitch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\u0026nbsp;\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e:\u003c/p\u003e\u003cpre\u003eswitch(config-tcam)#show hardware tcam profile\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Configuration\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\nFixedSystem\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; ipsec-egress-padding-removal \nipsec-egress-padding-removal\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u2018\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e\u2019 differs from the \u2018\u003cb\u003eipsec\u003c/b\u003e\u2019 TCAM profile in two ways:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEgress IP ACLs are disabled\u003c/li\u003e\u003cli\u003eFixes for BUG603398 and BUG1246592 are applied\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u00a0 https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal .\n\n\n\nThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\n\n\n\nswitch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n\n\n\u00a0\n\n\n\nTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\u00a0ipsec-egress-padding-removal:\n\n\n\nswitch(config-tcam)#show hardware tcam profile\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Configuration\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Status\nFixedSystem\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ipsec-egress-padding-removal \nipsec-egress-padding-removal\n\n\n\u00a0\n\n\n\n\u2018ipsec-egress-padding-removal\u2019 differs from the \u2018ipsec\u2019 TCAM profile in two ways:\n\n * Egress IP ACLs are disabled\n * Fixes for BUG603398 and BUG1246592 are applied"
}
],
"source": {
"advisory": "127",
"defect": [
"BUG 1246592"
],
"discovery": "EXTERNAL"
},
"title": "Arista EOS Dataplane Denial of Service via Malformed IPsec Packet",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere are no mitigations for this vulnerability.\u003c/p\u003e"
}
],
"value": "There are no mitigations for this vulnerability."
}
],
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-8873",
"datePublished": "2026-06-04T23:04:56.535Z",
"dateReserved": "2025-08-11T18:28:43.460Z",
"dateUpdated": "2026-06-05T18:31:35.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Arista EOS Dataplane Denial of Service via Malformed IPsec Packet\", \"source\": {\"defect\": [\"BUG 1246592\"], \"advisory\": \"127\", \"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-125\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-125 Flooding\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Arista Networks\", \"product\": \"EOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.33.0M\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.33.4M\"}, {\"status\": \"affected\", \"version\": \"4.32.0M\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.32.6.1M\"}, {\"status\": \"affected\", \"version\": \"4.31.0M\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.31.7.1M\"}, {\"status\": \"affected\", \"version\": \"4.30.0M\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.30.10M\"}, {\"status\": \"affected\", \"version\": \"4.29.0M\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.29.10.1M\"}], \"platforms\": [\"7020SRG Series\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\\u00a0 https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal .\\n\\n\\n\\nThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\\n\\n\\n\\nswitch(config)#hardware tcam\\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\\n!\\nWARNING!\\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\\nAll traffic through the forwarding chip managed by the restarting\\nforwarding agent will be dropped.\\n \\nProceed [y/n]y\\nswitch(config-tcam)#\\n\\n\\n\\u00a0\\n\\n\\n\\nTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\\u00a0ipsec-egress-padding-removal:\\n\\n\\n\\nswitch(config-tcam)#show hardware tcam profile\\n\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0Configuration\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 Status\\nFixedSystem\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 ipsec-egress-padding-removal \\nipsec-egress-padding-removal\\n\\n\\n\\u00a0\\n\\n\\n\\n\\u2018ipsec-egress-padding-removal\\u2019 differs from the \\u2018ipsec\\u2019 TCAM profile in two ways:\\n\\n * Egress IP ACLs are disabled\\n * Fixes for BUG603398 and BUG1246592 are applied\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u0026nbsp;\u003ca href=\\\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-8873 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAfter upgrading to a remediated version of software, the system TCAM profile must be changed to ipsec-egress-padding-removal:\u0026nbsp;\u003ca href=\\\"https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003ehttps://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\u003c/p\u003e\u003cpre\u003eswitch(config)#hardware tcam\\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\\n!\\nWARNING!\\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\\nAll traffic through the forwarding chip managed by the restarting\\nforwarding agent will be dropped.\\n \\nProceed [y/n]y\\nswitch(config-tcam)#\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\u0026nbsp;\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e:\u003c/p\u003e\u003cpre\u003eswitch(config-tcam)#show hardware tcam profile\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Configuration\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\\nFixedSystem\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; ipsec-egress-padding-removal \\nipsec-egress-padding-removal\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\\u2018\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e\\u2019 differs from the \\u2018\u003cb\u003eipsec\u003c/b\u003e\\u2019 TCAM profile in two ways:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEgress IP ACLs are disabled\u003c/li\u003e\u003cli\u003eFixes for BUG603398 and BUG1246592 are applied\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"datePublic\": \"2026-06-04T22:53:00.000Z\", \"references\": [{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"There are no mitigations for this vulnerability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThere are no mitigations for this vulnerability.\u003c/p\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eOn affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1286\", \"description\": \"CWE-1286: Improper Validation of Syntactic Correctness of Input\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"In order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\\n\\n\\n\\n\\nswitch\u003eshow ip security connection\\nLegend: (P) policy based VPN tunnel\\nTunnel Source Dest Status Uptime Input Output Rekey Time\\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\\n\\n\\n\\n\\nIf IPsec is not configured there is no exposure to this issue and the message will look like:\\n\\n\\n\\n\\nswitch\u003eshow ip security connection\\nLegend: (P) policy based VPN tunnel.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIn order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\u003c/p\u003e\\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\\nLegend: (P) policy based VPN tunnel\\nTunnel Source Dest Status Uptime Input Output Rekey Time\\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\u003c/code\u003e\u003c/pre\u003e\\n\u003cp\u003eIf IPsec is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\\nLegend: (P) policy based VPN tunnel.\u003c/code\u003e\u003c/pre\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"shortName\": \"Arista\", \"dateUpdated\": \"2026-06-04T23:04:56.535Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-8873\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-05T18:31:22.291972Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-06-05T18:31:29.823Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2025-8873\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-04T23:04:56.535Z\", \"dateReserved\": \"2025-08-11T18:28:43.460Z\", \"assignerOrgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"datePublished\": \"2026-06-04T23:04:56.535Z\", \"assignerShortName\": \"Arista\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…