CVE-2025-3456 (GCVE-0-2025-3456)
Vulnerability from cvelistv5 – Published: 2025-08-25 20:02 – Updated: 2025-08-25 20:31
VLAI?
Summary
On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.
Severity ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.34.0F
(custom)
Affected: 4.33.0 , ≤ 4.33.3F (custom) Affected: 4.32.0 , ≤ 4.32.5M (custom) Affected: 4.31.0 , ≤ 4.31.7M (custom) Affected: 4.30.0 , ≤ 4.30.10M (custom) Affected: 4.29.0 , ≤ 4.29.10M (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-25T20:31:37.034026Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T20:31:54.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"EOS"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"status": "affected",
"version": "4.34.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33.3F",
"status": "affected",
"version": "4.33.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.5M",
"status": "affected",
"version": "4.32.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.7M",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.10M",
"status": "affected",
"version": "4.30.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.10M",
"status": "affected",
"version": "4.29.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-3456, the following condition must be met:\u003c/p\u003e\u003cp\u003eThe global custom encryption key must be configured:\u003c/p\u003e\u003cpre\u003eswitch#show running-config | sect management security\nmanagement security\n\u0026nbsp; \u0026nbsp;password encryption-key common custom \u0026lt;key\u0026gt;\u003c/pre\u003e\u003cbr\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-3456, the following condition must be met:\n\nThe global custom encryption key must be configured:\n\nswitch#show running-config | sect management security\nmanagement security\n\u00a0 \u00a0password encryption-key common custom \u003ckey\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOn affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships."
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545: Pull Data from System Resources"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T20:02:48.722Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://https://www.arista.com/en/support/advisories-notices/security-advisory/22022-security-advisory-0122"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eCVE-2025-3456 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.34.1F and later releases in the 4.34.x train\u003c/li\u003e\u003cli\u003e4.33.4M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.6M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.8M and later releases in the 4.31.x train\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\n\u00a0\n\nCVE-2025-3456 has been fixed in the following releases:\n\n * 4.34.1F and later releases in the 4.34.x train\n * 4.33.4M and later releases in the 4.33.x train\n * 4.32.6M and later releases in the 4.32.x train\n * 4.31.8M and later releases in the 4.31.x train"
}
],
"source": {
"advisory": "122",
"defect": [
"BUG1114420"
],
"discovery": "INTERNAL"
},
"title": "On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-c",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThere is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience and afterwards rotate the custom global encryption-key.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "There is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience and afterwards rotate the custom global encryption-key."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-3456",
"datePublished": "2025-08-25T20:02:48.722Z",
"dateReserved": "2025-04-08T21:38:05.413Z",
"dateUpdated": "2025-08-25T20:31:54.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-3456\",\"sourceIdentifier\":\"psirt@arista.com\",\"published\":\"2025-08-25T20:15:39.907\",\"lastModified\":\"2025-08-25T20:24:45.327\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.\"},{\"lang\":\"es\",\"value\":\"En las plataformas afectadas que ejecutan Arista EOS, la configuraci\u00f3n de la clave de cifrado com\u00fan global puede registrarse en texto plano, en registros de contabilidad locales o remotos. El conocimiento de la clave de cifrado y los secretos cifrados espec\u00edficos del protocolo del dispositivo que ejecuta la configuraci\u00f3n podr\u00eda utilizarse para obtener contrase\u00f1as espec\u00edficas del protocolo en casos donde se requieran contrase\u00f1as sim\u00e9tricas entre dispositivos con protocolos vecinos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":3.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.0,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"references\":[{\"url\":\"https://https://www.arista.com/en/support/advisories-notices/security-advisory/22022-security-advisory-0122\",\"source\":\"psirt@arista.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-3456\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-25T20:31:37.034026Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-25T20:22:46.098Z\"}}], \"cna\": {\"title\": \"On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-c\", \"source\": {\"defect\": [\"BUG1114420\"], \"advisory\": \"122\", \"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-545\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-545: Pull Data from System Resources\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Arista Networks\", \"product\": \"EOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.34.0F\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.33.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.33.3F\"}, {\"status\": \"affected\", \"version\": \"4.32.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.32.5M\"}, {\"status\": \"affected\", \"version\": \"4.31.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.31.7M\"}, {\"status\": \"affected\", \"version\": \"4.30.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.30.10M\"}, {\"status\": \"affected\", \"version\": \"4.29.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.29.10M\"}], \"platforms\": [\"EOS\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \\n\\n\\u00a0\\n\\nCVE-2025-3456 has been fixed in the following releases:\\n\\n * 4.34.1F and later releases in the 4.34.x train\\n * 4.33.4M and later releases in the 4.33.x train\\n * 4.32.6M and later releases in the 4.32.x train\\n * 4.31.8M and later releases in the 4.31.x train\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\\\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eCVE-2025-3456 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.34.1F and later releases in the 4.34.x train\u003c/li\u003e\u003cli\u003e4.33.4M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.6M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.8M and later releases in the 4.31.x train\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://https://www.arista.com/en/support/advisories-notices/security-advisory/22022-security-advisory-0122\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"There is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience and afterwards rotate the custom global encryption-key.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThere is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience and afterwards rotate the custom global encryption-key.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eOn affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"CWE-532 Insertion of Sensitive Information into Log File\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"In order to be vulnerable to CVE-2025-3456, the following condition must be met:\\n\\nThe global custom encryption key must be configured:\\n\\nswitch#show running-config | sect management security\\nmanagement security\\n\\u00a0 \\u00a0password encryption-key common custom \u003ckey\u003e\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIn order to be vulnerable to CVE-2025-3456, the following condition must be met:\u003c/p\u003e\u003cp\u003eThe global custom encryption key must be configured:\u003c/p\u003e\u003cpre\u003eswitch#show running-config | sect management security\\nmanagement security\\n\u0026nbsp; \u0026nbsp;password encryption-key common custom \u0026lt;key\u0026gt;\u003c/pre\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"shortName\": \"Arista\", \"dateUpdated\": \"2025-08-25T20:02:48.722Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-3456\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-25T20:31:54.730Z\", \"dateReserved\": \"2025-04-08T21:38:05.413Z\", \"assignerOrgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"datePublished\": \"2025-08-25T20:02:48.722Z\", \"assignerShortName\": \"Arista\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…