CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-0505

CVSS 10.0v3.1pub. 2025-05-08upd. 2026-04-15

On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected.

🤖 AI Analysis
How it works

The Zero Touch Provisioning mechanism, designed to automatically configure network devices without administrator intervention, can be abused by a network attacker without any authentication. By exploiting ZTP, the attacker gains administrative privileges on the CloudVision system — broader than necessary for normal operation (CWE-269: Improper Privilege Management). The vulnerability affects only on-premise deployments — both physical and virtual; the CloudVision as-a-Service offering is not vulnerable.

Impact

An attacker gains excessive administrative privileges on the CloudVision system, allowing them to read and modify the state and configuration of all network devices under management by this platform. This can lead to complete compromise of the managed network infrastructure.

Mitigation & patch

Apply patches available from the vendor according to references (Security Advisory 0115 published by Arista Networks at https://www.arista.com/en/support/advisories-notices/security-advisory/21315-security-advisory-0115). It is also recommended to consider restricting network access to ZTP and CloudVision interfaces only to trusted network segments until updates are applied.

Who is affected

Arista CloudVision — on-premise deployments (on-premise), both physical and virtual. The CloudVision as-a-Service (cloud) offering is not vulnerable. Detailed listings of affected product versions are available in the vendor's references.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References