PatchSiren cyber security CVE debrief
CVE-2025-5090 Arista Networks CVE debrief
A high-severity vulnerability was discovered in CVX, which could lead to a denial-of-service (DoS) scenario. An attacker with high privilege access to a connected switch could send custom TCP packets to CVX, causing agent crashes and instability in the CVX cluster.
- Vendor
- Arista Networks
- Product
- EOS / CloudVision eXchange (CVX)
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Administrators and users of CVX clusters, particularly those with high-privilege access to connected switches.
Technical summary
CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX.
Defensive priority
High
Recommended defensive actions
- Review and update CVX configurations to ensure resilience to unexpected messages.
- Implement access controls to limit high-privilege access to connected switches.
- Monitor CVX cluster stability and agent crashes.
Evidence notes
The vendor is identified as Arista, based on the provided evidence.
Official resources
-
CVE-2025-5090 CVE record
CVE.org
-
CVE-2025-5090 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2025-5090 was published on 2026-06-05T17:16:30.347Z and modified on 2026-06-05T19:03:48.933Z.