On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.
Fixes

Solution

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades   CVE-2025-3456 has been fixed in the following releases: * 4.34.1F and later releases in the 4.34.x train * 4.33.4M and later releases in the 4.33.x train * 4.32.6M and later releases in the 4.32.x train * 4.31.8M and later releases in the 4.31.x train


Workaround

There is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience and afterwards rotate the custom global encryption-key.

History

Tue, 26 Aug 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Arista
Arista eos
Vendors & Products Arista
Arista eos

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Description On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.
Title On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-c
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Arista

Published:

Updated: 2025-08-25T20:31:54.730Z

Reserved: 2025-04-08T21:38:05.413Z

Link: CVE-2025-3456

cve-icon Vulnrichment

Updated: 2025-08-25T20:22:46.098Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-25T20:15:39.907

Modified: 2025-08-25T20:24:45.327

Link: CVE-2025-3456

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-26T08:54:55Z