Description
CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.
Published: 2026-06-05
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CVX is not resilient to unexpected messages from a connected switch, which can cause agent crashes and destabilize the CVX cluster. The flaw is a classic input validation weakness (CWE-20). An attacker who gains high‑privilege access on a connected switch could send specially crafted TCP packets to trigger a crash, effectively creating a denial‑of‑service scenario.

Affected Systems

Arista Networks EOS and CloudVision eXchange (CVX) are affected. The vulnerability exists in all releases before 4.34.2F, 4.33.5M, and 4.32.7M for the 4.34, 4.33, and 4.32 trains respectively.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, so exploitation likelihood is unknown. Based on the description, the attacker would need high‑privilege access to a switch to send custom packets, suggesting a high‑privilege attack vector requiring prior compromise of the switch environment.

Generated by OpenCVE AI on June 5, 2026 at 17:52 UTC.

Remediation

Vendor Solution

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. CVE-2025-5090 has been fixed in the following releases: * 4.34.2F and later releases in the 4.34.x train * 4.33.5M and later releases in the 4.33.x train * 4.32.7M and later releases in the 4.32.x train

Vendor Workaround

There is no mitigation for this issue.

OpenCVE Recommended Actions

  • Upgrade all CVX nodes to version 4.34.2F or later.
  • If running an earlier train, upgrade to at least 4.33.5M for 4.33 or 4.32.7M for 4.32.
  • Set up alerts for sudden agent crashes in CVX to detect potential exploitation attempts.

Generated by OpenCVE AI on June 5, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.
Title Arista CloudVision Exchange Cluster Instability via Unexpected Switch Messages
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Arista

Published:

Updated: 2026-06-05T15:49:27.770Z

Reserved: 2025-05-22T16:26:48.444Z

Link: CVE-2025-5090

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T17:16:30.347

Modified: 2026-06-05T17:16:30.347

Link: CVE-2025-5090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T18:00:15Z

Weaknesses