CVE-2025-8873 (GCVE-0-2025-8873)
Vulnerability from cvelistv5 – Published: 2026-06-04 23:04 – Updated: 2026-06-05 18:31
VLAI
Title
Arista EOS Dataplane Denial of Service via Malformed IPsec Packet
Summary
On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1286 - Improper Validation of Syntactic Correctness of Input
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.33.0M , ≤ 4.33.4M
(custom)
Affected: 4.32.0M , ≤ 4.32.6.1M (custom) Affected: 4.31.0M , ≤ 4.31.7.1M (custom) Affected: 4.30.0M , ≤ 4.30.10M (custom) Affected: 4.29.0M , ≤ 4.29.10.1M (custom) |
Date Public
2026-06-04 22:53
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:31:22.291972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:31:35.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"7020SRG Series"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.33.4M",
"status": "affected",
"version": "4.33.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32.6.1M",
"status": "affected",
"version": "4.32.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.7.1M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.10M",
"status": "affected",
"version": "4.30.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.10.1M",
"status": "affected",
"version": "4.29.0M",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf IPsec is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\nLegend: (P) policy based VPN tunnel.\u003c/code\u003e\u003c/pre\u003e"
}
],
"value": "In order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\n\n\n\n\nswitch\u003eshow ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\n\n\n\n\nIf IPsec is not configured there is no exposure to this issue and the message will look like:\n\n\n\n\nswitch\u003eshow ip security connection\nLegend: (P) policy based VPN tunnel."
}
],
"datePublic": "2026-06-04T22:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.\u003c/p\u003e"
}
],
"value": "On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer."
}
],
"impacts": [
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1286",
"description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T23:04:56.535Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-8873 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAfter upgrading to a remediated version of software, the system TCAM profile must be changed to ipsec-egress-padding-removal:\u0026nbsp;\u003ca href=\"https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\" target=\"_blank\" rel=\"noopener noreferrer\"\u003ehttps://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\u003c/p\u003e\u003cpre\u003eswitch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\u0026nbsp;\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e:\u003c/p\u003e\u003cpre\u003eswitch(config-tcam)#show hardware tcam profile\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Configuration\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\nFixedSystem\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; ipsec-egress-padding-removal \nipsec-egress-padding-removal\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\u2018\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e\u2019 differs from the \u2018\u003cb\u003eipsec\u003c/b\u003e\u2019 TCAM profile in two ways:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEgress IP ACLs are disabled\u003c/li\u003e\u003cli\u003eFixes for BUG603398 and BUG1246592 are applied\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u00a0 https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal .\n\n\n\nThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\n\n\n\nswitch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n\n\n\u00a0\n\n\n\nTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\u00a0ipsec-egress-padding-removal:\n\n\n\nswitch(config-tcam)#show hardware tcam profile\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Configuration\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Status\nFixedSystem\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ipsec-egress-padding-removal \nipsec-egress-padding-removal\n\n\n\u00a0\n\n\n\n\u2018ipsec-egress-padding-removal\u2019 differs from the \u2018ipsec\u2019 TCAM profile in two ways:\n\n * Egress IP ACLs are disabled\n * Fixes for BUG603398 and BUG1246592 are applied"
}
],
"source": {
"advisory": "127",
"defect": [
"BUG 1246592"
],
"discovery": "EXTERNAL"
},
"title": "Arista EOS Dataplane Denial of Service via Malformed IPsec Packet",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere are no mitigations for this vulnerability.\u003c/p\u003e"
}
],
"value": "There are no mitigations for this vulnerability."
}
],
"x_generator": {
"engine": "Vulnogram"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2025-8873",
"datePublished": "2026-06-04T23:04:56.535Z",
"dateReserved": "2025-08-11T18:28:43.460Z",
"dateUpdated": "2026-06-05T18:31:35.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-8873",
"date": "2026-06-06",
"epss": "0.00019",
"percentile": "0.0522"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-8873\",\"sourceIdentifier\":\"psirt@arista.com\",\"published\":\"2026-06-04T23:16:48.413\",\"lastModified\":\"2026-06-05T15:02:34.977\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1286\"}]}],\"references\":[{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127\",\"source\":\"psirt@arista.com\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Arista EOS Dataplane Denial of Service via Malformed IPsec Packet\", \"source\": {\"defect\": [\"BUG 1246592\"], \"advisory\": \"127\", \"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-125\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-125 Flooding\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Arista Networks\", \"product\": \"EOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.33.0M\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.33.4M\"}, {\"status\": \"affected\", \"version\": \"4.32.0M\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.32.6.1M\"}, {\"status\": \"affected\", \"version\": \"4.31.0M\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.31.7.1M\"}, {\"status\": \"affected\", \"version\": \"4.30.0M\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.30.10M\"}, {\"status\": \"affected\", \"version\": \"4.29.0M\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.29.10.1M\"}], \"platforms\": [\"7020SRG Series\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\\u00a0 https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal .\\n\\n\\n\\nThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\\n\\n\\n\\nswitch(config)#hardware tcam\\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\\n!\\nWARNING!\\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\\nAll traffic through the forwarding chip managed by the restarting\\nforwarding agent will be dropped.\\n \\nProceed [y/n]y\\nswitch(config-tcam)#\\n\\n\\n\\u00a0\\n\\n\\n\\nTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\\u00a0ipsec-egress-padding-removal:\\n\\n\\n\\nswitch(config-tcam)#show hardware tcam profile\\n\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0\\u00a0Configuration\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 Status\\nFixedSystem\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 ipsec-egress-padding-removal \\nipsec-egress-padding-removal\\n\\n\\n\\u00a0\\n\\n\\n\\n\\u2018ipsec-egress-padding-removal\\u2019 differs from the \\u2018ipsec\\u2019 TCAM profile in two ways:\\n\\n * Egress IP ACLs are disabled\\n * Fixes for BUG603398 and BUG1246592 are applied\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see\u0026nbsp;\u003ca href=\\\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-8873 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.33.5M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.7M and later releases in the 4.32.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAfter upgrading to a remediated version of software, the system TCAM profile must be changed to ipsec-egress-padding-removal:\u0026nbsp;\u003ca href=\\\"https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003ehttps://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThis may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.\u003c/p\u003e\u003cpre\u003eswitch(config)#hardware tcam\\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\\n!\\nWARNING!\\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\\nAll traffic through the forwarding chip managed by the restarting\\nforwarding agent will be dropped.\\n \\nProceed [y/n]y\\nswitch(config-tcam)#\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eTo ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match\u0026nbsp;\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e:\u003c/p\u003e\u003cpre\u003eswitch(config-tcam)#show hardware tcam profile\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Configuration\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\\nFixedSystem\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; ipsec-egress-padding-removal \\nipsec-egress-padding-removal\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003e\\u2018\u003cb\u003eipsec-egress-padding-removal\u003c/b\u003e\\u2019 differs from the \\u2018\u003cb\u003eipsec\u003c/b\u003e\\u2019 TCAM profile in two ways:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEgress IP ACLs are disabled\u003c/li\u003e\u003cli\u003eFixes for BUG603398 and BUG1246592 are applied\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"datePublic\": \"2026-06-04T22:53:00.000Z\", \"references\": [{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"There are no mitigations for this vulnerability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThere are no mitigations for this vulnerability.\u003c/p\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eOn affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1286\", \"description\": \"CWE-1286: Improper Validation of Syntactic Correctness of Input\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"In order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\\n\\n\\n\\n\\nswitch\u003eshow ip security connection\\nLegend: (P) policy based VPN tunnel\\nTunnel Source Dest Status Uptime Input Output Rekey Time\\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\\n\\n\\n\\n\\nIf IPsec is not configured there is no exposure to this issue and the message will look like:\\n\\n\\n\\n\\nswitch\u003eshow ip security connection\\nLegend: (P) policy based VPN tunnel.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIn order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:\u003c/p\u003e\\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\\nLegend: (P) policy based VPN tunnel\\nTunnel Source Dest Status Uptime Input Output Rekey Time\\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.\u003c/code\u003e\u003c/pre\u003e\\n\u003cp\u003eIf IPsec is not configured there is no exposure to this issue and the message will look like:\u003c/p\u003e\\n\u003cpre\u003e\u003ccode\u003eswitch\u0026gt;show ip security connection\\nLegend: (P) policy based VPN tunnel.\u003c/code\u003e\u003c/pre\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"shortName\": \"Arista\", \"dateUpdated\": \"2026-06-04T23:04:56.535Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-8873\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-05T18:31:22.291972Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-06-05T18:31:29.823Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2025-8873\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-04T23:04:56.535Z\", \"dateReserved\": \"2025-08-11T18:28:43.460Z\", \"assignerOrgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"datePublished\": \"2026-06-04T23:04:56.535Z\", \"assignerShortName\": \"Arista\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…