MEDIUM 5.9

CVE-2023-5502: Arista EOS 802.1x Authentication Bypass Vulnerability

Arista EOS devices configured with 802.1x authentication on network access ports have a weakness that allows a malicious user to bypass the authentication requirement under specific conditions. The vulnerability exists when 802.1x is enabled on access or trunk ports and routing is enabled on the access VLAN. An attacker could potentially gain network access without providing valid authentication credentials, though exploitation requires specific network configuration and circumstances to be in place.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-287
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2023-5502 is an authentication bypass vulnerability in Arista EOS affecting deployments with 802.1x port-based network access control. The flaw exists in the interaction between 802.1x authentication enforcement and VLAN routing configuration. When both 802.1x authentication and routing are enabled on the access VLAN of configured ports, the authentication state machine may fail to properly validate supplicant credentials before allowing data plane access. This is classified as an improper authentication issue (CWE-287) with a CVSS v3.1 score of 5.9 (Medium severity).

Business impact

This vulnerability creates a direct bypass of network access controls, allowing unauthorized devices to join the network segment without authentication. In organizations relying on 802.1x as a primary network access control mechanism for device onboarding, compliance, or security perimeter enforcement, this could permit malicious or non-compliant devices to access network resources. The impact is limited to availability and integrity of network access policies rather than data confidentiality, but could compromise network segmentation strategies and enable lateral movement by unauthorized actors who gain initial access.

Affected systems

Arista EOS platforms are affected when configured with 802.1x authentication on access or trunk ports and with routing enabled on the access VLAN. The vulnerability does not affect all EOS deployments—it requires this specific configuration combination. Organizations using Arista switches in environments without 802.1x authentication, or where routing is not enabled on access VLANs, are not impacted.

Exploitability

The vulnerability requires an attacker to act as a malicious supplicant with network proximity to the affected port. Exploitation complexity is rated as high, meaning specific network conditions and knowledge of the target configuration are necessary. The attacker cannot exploit this remotely; they must be in a position to connect to a physically or logically accessible port. No exploit code is known to be publicly available, and this vulnerability is not tracked in the CISA Known Exploited Vulnerabilities catalog.

Remediation

Organizations should contact Arista for guidance on patching or workarounds specific to their EOS version. Interim mitigations may include disabling routing on access VLANs where 802.1x is the primary security control, restricting physical access to network ports, or implementing additional network segmentation and monitoring. Verify the recommended patch version and timeline through official Arista security advisories before deploying.

Patch guidance

Check the Arista security advisory associated with CVE-2023-5502 for the specific EOS versions affected and the patched versions available. Patches should be tested in a non-production environment before deployment to validate compatibility with your network topology and services. Coordinate patching with your network change management process, as EOS updates may require device reboot or redundancy failover. Prioritize devices in high-security zones or those used for regulatory compliance enforcement.

Detection guidance

Monitor for authentication state transitions on ports configured with 802.1x, particularly failed or incomplete authentication handshakes followed by data plane activity. Review AAA (Authentication, Authorization, Accounting) logs for unauthenticated sessions. Collect NetFlow or sFlow data to identify unexpected traffic patterns from ports that should have rejected unauthenticated supplicants. Use port security features and MAC address tables to detect unauthorized device connections on protected VLANs. Validate that 802.1x port states match expected operational status across your inventory.

Why prioritize this

This vulnerability should be prioritized for organizations that depend on 802.1x for network access control and compliance, particularly in regulated industries or those with strict device onboarding policies. While the CVSS score is medium and exploitation is complex, the security function being bypassed—authentication—is fundamental to network trust. Prioritize devices in secure zones and those connected to sensitive network segments. Organizations without the specific configuration (802.1x + VLAN routing) can deprioritize, though a full audit of affected switch configurations is recommended.

Risk score, explained

The CVSS 5.9 (Medium) score reflects that the vulnerability allows an attacker with network access to bypass an important security control (high integrity impact on authentication), but requires high attack complexity and specific configuration. The attack vector is network-adjacent rather than remote, and there is no confidentiality impact. The score appropriately signals a need to remediate but does not indicate a critical emergency; however, the nature of the flaw—authentication bypass—warrants higher business priority than the numerical score alone suggests.

Frequently asked questions

Does this vulnerability affect all Arista EOS deployments?

No. The vulnerability only affects EOS configurations that have both 802.1x authentication enabled on access or trunk ports AND routing enabled on the access VLAN. If your deployment uses 802.1x without VLAN routing on those interfaces, or does not use 802.1x at all, you are not vulnerable to this specific flaw.

Can this vulnerability be exploited remotely?

No, the attacker must be in network proximity to the affected port—typically requiring physical access to a network jack or presence on a wireless network segment. It cannot be exploited from the internet or remote networks.

Is this vulnerability being actively exploited?

This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code is known. However, this does not mean exploitation is impossible; always follow your organization's patch management and monitoring practices.

What should I do first if I run Arista EOS?

Audit your switch configurations to identify which devices have both 802.1x enabled and routing enabled on access VLANs. Check Arista's security advisories for the specific patch versions for your EOS release. If your configuration is not vulnerable, document this. If vulnerable, schedule patching according to your change management process and monitor for suspicious activity in the interim.

This analysis is provided for informational purposes based on publicly available vulnerability data. The specific patch versions, workarounds, and timeline for availability should be verified directly with Arista's official security advisories and vendor support. Organizations should validate the applicability of this vulnerability to their environment before taking action. SEC.co does not provide definitive legal or compliance guidance; consult your compliance and legal teams regarding remediation timelines based on regulatory requirements and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).