{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2826", "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "state": "PUBLISHED", "assignerShortName": "Arista", "dateReserved": "2025-03-26T16:02:22.894Z", "datePublished": "2025-05-27T22:22:51.717Z", "dateUpdated": "2025-05-28T13:34:08.151Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["EOS"], "product": "EOS", "vendor": "Arista Networks", "versions": [{"status": "affected", "version": "4.33.2F", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In order to be vulnerable to CVE-2025-2826, the following condition must be met: IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL must be configured and active on more than one Ethernet interfaces or one or more LAG interfaces. The output of CLI show commands will look similar to the following:</p><pre>switch&gt; show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 27\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: control-plane(default VRF)\n&nbsp; &nbsp; &nbsp; &nbsp; Active on &nbsp; &nbsp; Ingress: control-plane(default VRF)\n \n<span style=\"background-color: rgb(255, 255, 0);\">IPV4 ACL ipv4ACL</span>\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 2\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: Et18/1\n&nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Active on &nbsp; &nbsp; Ingress:</span> Et18/1\n</pre><div>&nbsp;</div><p>or</p><pre>switch&gt;show mac access-lists summary\n<span style=\"background-color: rgb(255, 255, 0);\">MAC ACL macAcl</span>\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 2\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: Et18/1\n&nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Active on &nbsp; &nbsp; Ingress:</span> Et18/1\n</pre><div>&nbsp;</div><p>or</p><pre>switch&gt;show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 27\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: control-plane(default VRF)\n&nbsp; &nbsp; &nbsp; &nbsp; Active on &nbsp; &nbsp; Ingress: control-plane(default VRF)\n \n<span style=\"background-color: rgb(255, 255, 0);\">Standard IPV6 ACL ipv6StandardACL</span>\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 2\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: Et21/1\n&nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Active on &nbsp; &nbsp; Ingress:</span> Et21/1\n</pre><div>&nbsp;</div><p>If IPv4 Ingress ACL or MAC Ingress ACL or IPv6 standard Ingress ACL are not configured or are not active on any Ethernet interface or LAG interfaces there is no exposure to this issue and the CLI show command output have no active interfaces\u02dc listed, similar to the following:</p><pre>switch&gt; show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 27\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: control-plane(default VRF)\n&nbsp; &nbsp; &nbsp; &nbsp; Active on &nbsp; &nbsp; Ingress: control-plane(default VRF)\n</pre><div>&nbsp;</div><p>or</p><pre>switch&gt;show mac access-lists summary\n</pre><div>&nbsp;</div><p>or</p><pre>switch&gt;show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 27\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: control-plane(default VRF)\n&nbsp; &nbsp; &nbsp; &nbsp; Active on &nbsp; &nbsp; Ingress: control-plane(default VRF)\n</pre><br><br>"}], "value": "In order to be vulnerable to CVE-2025-2826, the following condition must be met: IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL must be configured and active on more than one Ethernet interfaces or one or more LAG interfaces. The output of CLI show commands will look similar to the following:\n\nswitch> show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)\n \nIPV4 ACL ipv4ACL\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 2\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: Et18/1\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: Et18/1\n\n\n\u00a0\n\nor\n\nswitch>show mac access-lists summary\nMAC ACL macAcl\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 2\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: Et18/1\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: Et18/1\n\n\n\u00a0\n\nor\n\nswitch>show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)\n \nStandard IPV6 ACL ipv6StandardACL\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 2\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: Et21/1\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: Et21/1\n\n\n\u00a0\n\nIf IPv4 Ingress ACL or MAC Ingress ACL or IPv6 standard Ingress ACL are not configured or are not active on any Ethernet interface or LAG interfaces there is no exposure to this issue and the CLI show command output have no active interfaces\u02dc listed, similar to the following:\n\nswitch> show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)\n\n\n\u00a0\n\nor\n\nswitch>show mac access-lists summary\n\n\n\u00a0\n\nor\n\nswitch>show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are:</p><ol><li>Packets which should be permitted may be dropped and,</li><li>Packets which should be dropped may be permitted.</li></ol><br>"}], "value": "n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are:\n\n * Packets which should be permitted may be dropped and,\n * Packets which should be dropped may be permitted."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1284", "description": "CWE-1284 Improper Validation of Specified Quantity in Input", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "shortName": "Arista", "dateUpdated": "2025-05-27T22:22:51.717Z"}, "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21414-security-advisory-0120"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\">EOS User Manual: Upgrades and Downgrades</a></p><p>CVE-2025-2826 has been fixed in the following releases:</p><ul><li>4.33.2.1F, 4.33.3F and later releases in the 4.33.x train</li></ul>"}], "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-2826 has been fixed in the following releases:\n\n * 4.33.2.1F, 4.33.3F and later releases in the 4.33.x train"}], "source": {"advisory": "SA120", "defect": ["BUG 795398"], "discovery": "INTERNAL"}, "title": "n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets.", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">No workaround is available. Ingress ACLs may be applied as egress, if resources permit and the policy is applicable.</span><br>"}], "value": "No workaround is available. Ingress ACLs may be applied as egress, if resources permit and the policy is applicable."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-28T13:33:59.901353Z", "id": "CVE-2025-2826", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-28T13:34:08.151Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets.", "source": {"defect": ["BUG 795398"], "advisory": "SA120", "discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Arista Networks", "product": "EOS", "versions": [{"status": "affected", "version": "4.33.2F", "versionType": "custom"}], "platforms": ["EOS"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-2826 has been fixed in the following releases:\n\n * 4.33.2.1F, 4.33.3F and later releases in the 4.33.x train", "supportingMedia": [{"type": "text/html", "value": "<p>The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\">EOS User Manual: Upgrades and Downgrades</a></p><p>CVE-2025-2826 has been fixed in the following releases:</p><ul><li>4.33.2.1F, 4.33.3F and later releases in the 4.33.x train</li></ul>", "base64": false}]}], "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21414-security-advisory-0120"}], "workarounds": [{"lang": "en", "value": "No workaround is available. Ingress ACLs may be applied as egress, if resources permit and the policy is applicable.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">No workaround is available. Ingress ACLs may be applied as egress, if resources permit and the policy is applicable.</span><br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are:\n\n * Packets which should be permitted may be dropped and,\n * Packets which should be dropped may be permitted.", "supportingMedia": [{"type": "text/html", "value": "<p>n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are:</p><ol><li>Packets which should be permitted may be dropped and,</li><li>Packets which should be dropped may be permitted.</li></ol><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1284", "description": "CWE-1284 Improper Validation of Specified Quantity in Input"}]}], "configurations": [{"lang": "en", "value": "In order to be vulnerable to CVE-2025-2826, the following condition must be met: IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL must be configured and active on more than one Ethernet interfaces or one or more LAG interfaces. The output of CLI show commands will look similar to the following:\n\nswitch> show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)\n \nIPV4 ACL ipv4ACL\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 2\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: Et18/1\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: Et18/1\n\n\n\u00a0\n\nor\n\nswitch>show mac access-lists summary\nMAC ACL macAcl\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 2\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: Et18/1\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: Et18/1\n\n\n\u00a0\n\nor\n\nswitch>show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)\n \nStandard IPV6 ACL ipv6StandardACL\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 2\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: Et21/1\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: Et21/1\n\n\n\u00a0\n\nIf IPv4 Ingress ACL or MAC Ingress ACL or IPv6 standard Ingress ACL are not configured or are not active on any Ethernet interface or LAG interfaces there is no exposure to this issue and the CLI show command output have no active interfaces\u02dc listed, similar to the following:\n\nswitch> show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)\n\n\n\u00a0\n\nor\n\nswitch>show mac access-lists summary\n\n\n\u00a0\n\nor\n\nswitch>show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)", "supportingMedia": [{"type": "text/html", "value": "<p>In order to be vulnerable to CVE-2025-2826, the following condition must be met: IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL must be configured and active on more than one Ethernet interfaces or one or more LAG interfaces. The output of CLI show commands will look similar to the following:</p><pre>switch&gt; show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 27\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: control-plane(default VRF)\n&nbsp; &nbsp; &nbsp; &nbsp; Active on &nbsp; &nbsp; Ingress: control-plane(default VRF)\n \n<span style=\"background-color: rgb(255, 255, 0);\">IPV4 ACL ipv4ACL</span>\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 2\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: Et18/1\n&nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Active on &nbsp; &nbsp; Ingress:</span> Et18/1\n</pre><div>&nbsp;</div><p>or</p><pre>switch&gt;show mac access-lists summary\n<span style=\"background-color: rgb(255, 255, 0);\">MAC ACL macAcl</span>\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 2\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: Et18/1\n&nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Active on &nbsp; &nbsp; Ingress:</span> Et18/1\n</pre><div>&nbsp;</div><p>or</p><pre>switch&gt;show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 27\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: control-plane(default VRF)\n&nbsp; &nbsp; &nbsp; &nbsp; Active on &nbsp; &nbsp; Ingress: control-plane(default VRF)\n \n<span style=\"background-color: rgb(255, 255, 0);\">Standard IPV6 ACL ipv6StandardACL</span>\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 2\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: Et21/1\n&nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Active on &nbsp; &nbsp; Ingress:</span> Et21/1\n</pre><div>&nbsp;</div><p>If IPv4 Ingress ACL or MAC Ingress ACL or IPv6 standard Ingress ACL are not configured or are not active on any Ethernet interface or LAG interfaces there is no exposure to this issue and the CLI show command output have no active interfaces\u02dc listed, similar to the following:</p><pre>switch&gt; show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 27\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: control-plane(default VRF)\n&nbsp; &nbsp; &nbsp; &nbsp; Active on &nbsp; &nbsp; Ingress: control-plane(default VRF)\n</pre><div>&nbsp;</div><p>or</p><pre>switch&gt;show mac access-lists summary\n</pre><div>&nbsp;</div><p>or</p><pre>switch&gt;show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n&nbsp; &nbsp; &nbsp; &nbsp; Total rules configured: 27\n&nbsp; &nbsp; &nbsp; &nbsp; Configured on Ingress: control-plane(default VRF)\n&nbsp; &nbsp; &nbsp; &nbsp; Active on &nbsp; &nbsp; Ingress: control-plane(default VRF)\n</pre><br><br>", "base64": false}]}], "providerMetadata": {"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "shortName": "Arista", "dateUpdated": "2025-05-27T22:22:51.717Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2826", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-28T13:33:59.901353Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-05-28T13:34:03.587Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-2826", "state": "PUBLISHED", "dateUpdated": "2025-05-27T22:22:51.717Z", "dateReserved": "2025-03-26T16:02:22.894Z", "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "datePublished": "2025-05-27T22:22:51.717Z", "assignerShortName": "Arista"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are:\n\n * Packets which should be permitted may be dropped and,\n * Packets which should be dropped may be permitted."}, {"lang": "es", "value": "En las plataformas afectadas que ejecutan Arista EOS, es posible que no se apliquen las pol\u00edticas ACL. La activaci\u00f3n de las ACL de entrada IPv4, MAC o IPv6 est\u00e1ndar en una o m\u00e1s interfaces Ethernet o LAG puede provocar que no se apliquen las pol\u00edticas ACL para los paquetes entrantes. Esto puede provocar que los paquetes entrantes se permitan o denieguen incorrectamente. Los dos s\u00edntomas de este problema en la versi\u00f3n y plataforma afectadas son: * Los paquetes que deber\u00edan permitirse podr\u00edan descartarse y * Los paquetes que deber\u00edan descartarse podr\u00edan permitirse."}], "id": "CVE-2025-2826", "lastModified": "2025-05-28T15:01:30.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-05-27T23:15:21.400", "references": [{"source": "[email protected]", "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21414-security-advisory-0120"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "[email protected]", "type": "Secondary"}]}

{}