Description
An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.
Published: 2026-06-05
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated session to the Redis service used by Arista CloudVision Exchange (CVX) can be leveraged to gain full root privileges across all servers in the CVX cluster. The vulnerability stems from the fact that Redis authentication and all data exchanges occur in plaintext, allowing an attacker who owns a valid Redis password to impersonate the service and execute arbitrary commands with unrestricted system access.

Affected Systems

The flaw impacts Arista Networks EOS/CloudVision eXchange (CVX) environments. All versions prior to the following releases are vulnerable: EOS 4.34.2F and any earlier 4.34.x build, EOS 4.33.5M and any earlier 4.33.x build, EOS 4.32.7M and any earlier 4.32.x build, and EOS 4.31.9M and any earlier 4.31.x build. Updating to a later release within each train removes the flaw.

Risk and Exploitability

With a CVSS score of 8.7 the issue is considered high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalogue. Exploitation requires network access to the Redis port on a CVX server and possession of a valid Redis password. Once those two prerequisites are met, an attacker can execute arbitrary commands as the system root on any server in the cluster. The available workaround of running Redis under a dedicated user and group mitigates the impact by limiting the scope of privileges but does not eliminate the authentication flaw.

Generated by OpenCVE AI on June 5, 2026 at 17:51 UTC.

Remediation

Vendor Solution

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades CVE-2025-5088 has been fixed in the following releases: * 4.34.2F and later releases in the 4.34.x train * 4.33.5M and later releases in the 4.33.x train * 4.32.7M and later releases in the 4.32.x train * 4.31.9M and later releases in the 4.31.x train

Vendor Workaround

To run the redis-server as a dedicated "redis" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions. Please ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment. Log in to the CVX Server Access your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes. Stop Redis Before Applying Changes It is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service. Executing no redis password stops the Redis service by removing its authentication credentials, which prevents it from running. cvx>enable cvx#config cvx(config)#cvx cvx(config-cvx)#service mcs cvx(config-cvx-mcs)#no redis password cvx(config-cvx-mcs)# Edit the redis.service Systemd Service File This step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run. First, transition to bash mode from the CVX configuration prompt: cvx(config-cvx-mcs)#bash Once in bash, use sudo nano to edit the redis.service file: [cvx ~]$sudo nano /etc/systemd/system/redis.service Add 'User' and 'Group' Directives to the [Service] Section Within the redis.service file, locate the [Service] section and add the following lines: [Service] User=redis Group=redis This modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security. Save and exit the editor. Change Ownership of the Redis Log File To ensure the redis user has appropriate write permissions for its log file, change the ownership of /var/log/redis/redis.log to the redis user and group. [cvx ~]$sudo chown redis:redis /var/log/redis/redis.log This step is required for the Redis server to be able to write logs once it restarts under the new user and group. Restart the Redis with New Changes After making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online. First, exit bash mode: [cvx ~]$exit Then, reconfigure the Redis password: cvx(config-cvx-mcs)#redis password <secret> Replace <secret> with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group. NOTE: Following a CVX server reload or power cycle, all previously mentioned steps must be repeated.

OpenCVE Recommended Actions

  • Upgrade the CVX software to a remediated release: EOS 4.34.2F or later in the 4.34.x train, EOS 4.33.5M or later in the 4.33.x train, EOS 4.32.7M or later in the 4.32.x train, or EOS 4.31.9M or later in the 4.31.x train.
  • If upgrading is not possible, configure the Redis service to run under a dedicated "redis" user and group by editing /etc/systemd/system/redis.service, adding "User=redis" and "Group=redis" to the [Service] section, ensuring the redis log file is owned by this user, and restarting the service.
  • Restrict network access to the Redis port on each CVX server to trusted hosts by configuring firewall rules or network segmentation, reducing the attack surface for the authenticated Redis session.

Generated by OpenCVE AI on June 5, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.
Title Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Arista

Published:

Updated: 2026-06-05T15:58:15.288Z

Reserved: 2025-05-22T16:20:16.105Z

Link: CVE-2025-5088

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T17:16:29.097

Modified: 2026-06-05T17:16:29.097

Link: CVE-2025-5088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T18:00:15Z

Weaknesses