MEDIUM 5.3

CVE-2024-27891: Arista EOS MACsec + Egress ACL Policy Enforcement Failure

Arista EOS devices that simultaneously use MACsec (a security protocol encrypting layer 2 traffic) and egress Access Control Lists (ACLs) on the same network interfaces may fail to enforce the intended ACL policies on outgoing traffic. This means packets that should be blocked by policy could be allowed to leave the device, or conversely, traffic that should be permitted might be incorrectly denied—effectively breaking the network's egress filtering controls.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-284
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability affects Arista EOS deployments where MACsec and egress ACLs are configured on overlapping interfaces. The underlying issue stems from a policy enforcement gap: when both security mechanisms operate on the same egress path, the ACL rules do not reliably apply, leading to inconsistent packet filtering behavior. The vulnerability is classified as an Improper Access Control (CWE-284) issue. With a CVSS 3.1 score of 5.3 and a network-accessible attack vector, the issue carries a Medium severity rating and requires no authentication or user interaction to manifest.

Business impact

Organizations relying on Arista EOS egress ACLs as part of their network security posture—particularly those using MACsec for layer 2 encryption—face a breakdown in traffic filtering controls. This could permit unauthorized or sensitive data to leave the network, violate compliance policies requiring strict egress controls, or allow attackers within the network to communicate outbound with command-and-control infrastructure. The integrity impact is direct: security policies become unreliable without remediation.

Affected systems

Arista EOS platforms are affected when both MACsec and egress ACLs are configured on the same interfaces. Organizations should inventory EOS deployments to identify instances where this specific configuration combination exists. The vendor has not published a list of fixed product versions in publicly available advisories at the time of this writing; consult Arista's security advisories for the current remediation timeline and affected firmware versions.

Exploitability

Exploitation does not require network authentication or user interaction and can be triggered by network-adjacent or remote actors depending on the network topology. However, the vulnerability is not straightforward weaponization: an attacker must first determine which packets the target organization intends to block, then verify that the ACL is misconfigured. The practical impact depends on whether the misconfigured ACL permits traffic that should be denied (data exfiltration risk) or blocks traffic that should be permitted (availability impact). The CVSS score reflects a low complexity but limited confidentiality impact, focusing on the integrity violation of policy enforcement.

Remediation

Temporarily mitigate this issue by avoiding the simultaneous use of MACsec and egress ACLs on the same interfaces until a patched EOS version is available. Alternatively, move MACsec sessions to different interfaces or reconfigure ACL logic on non-MACsec-protected ports. Monitor Arista's security bulletins for patched firmware releases. Once patches are available, plan a phased upgrade of affected EOS devices, testing the configuration in a non-production environment first to confirm both MACsec and ACL enforcement work correctly post-patch.

Patch guidance

Arista will release fixed EOS versions addressing this policy enforcement issue. Verify the specific patched version numbers and applicability to your EOS deployment through Arista's official security advisory. When patches become available, schedule maintenance windows to upgrade affected devices, prioritizing those where egress ACLs enforce critical security policies. Before production deployment, validate that the patch resolves the ACL enforcement issue without disrupting MACsec operation or other network functionality.

Detection guidance

Review Arista EOS configurations to identify interfaces where both MACsec and egress ACLs are active. Enable logging and monitoring on egress ACLs to detect unexpected permit/deny anomalies. Look for traffic flows that should be blocked by policy but appear in egress logs, or conversely, traffic that should be allowed but is being dropped. Correlate EOS syslog messages with NetFlow or similar traffic telemetry to spot policy enforcement gaps. Test ACL rules explicitly by sending known traffic flows and verifying they match expected deny/permit outcomes.

Why prioritize this

Although this issue carries Medium severity, it directly undermines network egress controls—a critical security boundary. Any organization using Arista EOS with both MACsec and egress ACLs should prioritize identifying these configurations and either separating the two mechanisms or upgrading to a patched version. The lack of active exploitation (KEV status: not listed) provides a window for deliberate remediation planning rather than emergency response, but the integrity impact on security policy enforcement warrants near-term action.

Risk score, explained

The CVSS 3.1 score of 5.3 (Medium) reflects a network-accessible attack vector, low attack complexity, and no authentication requirement, balanced against limited direct impact—primarily an integrity violation of policy enforcement rather than data confidentiality compromise. The vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates the vulnerability is easily triggered but does not directly leak sensitive data or cause system unavailability. However, the real-world risk is contextual: organizations with strict data exfiltration controls or compliance requirements will face elevated business risk despite the moderate CVSS score.

Frequently asked questions

Do I need to use both MACsec and egress ACLs on the same interface?

No. If your security architecture permits, consider deploying MACsec on one set of interfaces and egress ACLs on another to avoid this policy enforcement gap. Alternatively, use MACsec alone if layer 2 encryption suffices, or use ACLs alone if MACsec is not required. Separation simplifies troubleshooting and eliminates this particular vulnerability.

Will I see a warning in EOS logs if ACL enforcement fails?

Not necessarily. The vulnerability manifests as silent policy non-enforcement: packets may be allowed or denied without generating alerts. Audit egress traffic explicitly by comparing observed flows against your ACL rules. Use NetFlow, syslog analysis, or packet capture on egress interfaces to verify that policies are applied as intended.

What is the difference between this issue and normal ACL misconfiguration?

This vulnerability is a software defect in Arista EOS, not a misconfiguration error. Even if your ACL rules are correctly written, the EOS kernel fails to enforce them when MACsec is active on the same port. Correctly configured ACLs will appear to not work; the bug is in the platform, not your policy logic.

Is this vulnerability exploitable remotely without network access?

The CVSS vector lists AV:N (Network-Accessible), but practical exploitation depends on your network topology. An external attacker would need to send traffic destined for egress filtering. In-network or network-adjacent attackers have clearer line of sight. The vulnerability does not require authentication, but the attacker must be able to send packets toward your EOS device and observe or benefit from the policy bypass.

This analysis is based on the CVE record and publicly available vendor information as of the publication date. No exploit code or proof-of-concept is provided. Organizations should verify patch availability and applicability with Arista before assuming specific versions are affected or resolved. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog. Security decisions should incorporate your organization's risk tolerance, network architecture, and compliance requirements. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).