CVE-2024-6858: Arista EOS 802.1X Multi-Auth Bypass via Fallback VLAN EAPOL Device
Arista EOS switches running in 802.1X authentication mode contain a logic flaw that can allow unauthorized devices to bypass port access controls. If an unauthenticated device is present on a port configured for multi-auth, and there is an EAPOL-capable (Extensible Authentication Protocol over LAN) device in the fallback VLAN, the unauthenticated device may be granted network access when it should remain blocked. This creates an authentication bypass condition specific to the multi-auth scenario and fallback VLAN configuration.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-1287
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper handling of 802.1X multi-auth port state transitions in Arista EOS. During the multi-auth enforcement flow, when a fallback VLAN is configured and contains a device capable of responding to EAPOL frames, the switch's authentication logic may incorrectly permit an unauthenticated supplicant to transition to an authorized state without completing the required authentication handshake. This occurs because the presence of an EAPOL-capable device in the fallback VLAN influences the switch's decision to grant port access, bypassing the intended sequential authentication checks. The flaw is classified as an Improper Resource Validation (CWE-1287) issue.
Business impact
Compromised network segmentation and access control enforcement. An attacker positioned on a network segment with a multi-auth port and fallback VLAN containing an EAPOL-capable device could gain unauthorized access to protected network resources. This breaks the security perimeter established by 802.1X, potentially allowing lateral movement, data exfiltration, or persistence within the network. For organizations relying on port-based access control for endpoint compliance and security posture validation, this represents a gap in trust verification at the network edge.
Affected systems
Arista EOS switches operating in 802.1X authentication mode with multi-auth enabled and fallback VLAN configuration. The specific conditions required are: (1) 802.1X mode active on one or more ports, (2) multi-auth policy in use, and (3) fallback VLAN configured with at least one EAPOL-capable device present. Organizations using 802.1X for endpoint authentication on Arista switching infrastructure should audit their port configurations.
Exploitability
Exploitability is moderate and requires specific network configuration prerequisites. An attacker must have physical or logical access to a network segment connected to an affected multi-auth port, and the target environment must have both multi-auth enabled and a fallback VLAN with EAPOL capability. The attack requires no user interaction and no privileges, but the constellation of configuration requirements (multi-auth + fallback VLAN + EAPOL device presence) limits real-world exposure. The CVSS vector (AV:A/AC:L) reflects adjacent network access and low attack complexity once those conditions exist.
Remediation
Organizations should apply Arista EOS security updates that address the 802.1X multi-auth state machine logic. Until patches are available or deployed, operators should: (1) review multi-auth port configurations and validate that fallback VLAN devices are trusted, (2) consider disabling fallback VLAN functionality on sensitive ports if authentication bypass risk is unacceptable, (3) implement additional access controls or monitoring on network segments connected to multi-auth ports, and (4) monitor for unexpected device authorizations on 802.1X ports. Verify patch availability with Arista support and cross-reference against your current EOS version.
Patch guidance
Contact Arista Networks for available EOS updates addressing this 802.1X logic flaw. Provide your current EOS version and multi-auth configuration details to determine applicability. Test patches in a lab environment first, particularly if running production switches with 802.1X enforcement, to ensure port authentication behavior stabilizes correctly post-update. Verify that multi-auth and fallback VLAN functionality work as expected after patching.
Detection guidance
Monitor 802.1X port state transitions for anomalies: log and alert on ports transitioning from unauthenticated to authorized state without completing a full EAPOL authentication sequence. Review syslog entries for 'unauthorized device allowed' or similar authentication bypass indicators on multi-auth ports. Network access control (NAC) or 802.1X logging systems should flag cases where devices bypass authentication when multi-auth is active. Correlate device MAC addresses authorized on suspicious ports with known EAPOL-capable devices in fallback VLANs.
Why prioritize this
Although unconfirmed in active exploitation (KEV not listed), the vulnerability carries medium severity (CVSS 6.5) with direct integrity impact—successful exploitation grants unauthorized network access. The combination of 802.1X widespread deployment, multi-auth adoption for IoT and guest access scenarios, and the relative ease of exploitation in vulnerable configurations warrants prompt assessment. Prioritize if your infrastructure uses 802.1X multi-auth on Arista platforms; deprioritize if multi-auth or fallback VLAN features are not in use.
Risk score, explained
CVSS 6.5 (Medium) reflects integrity impact (access to network granted without authorization) and adjacent network access requirements, offset by the need for specific configuration prerequisites. The attack vector (Adjacent) and lack of complexity barrier (AC:L) indicate that an attacker on the local network can exploit this without special skills. No confidentiality or availability impact is documented; the flaw is confined to authorization bypass, hence the focus on integrity. The absence of privilege requirements and user interaction supports the medium severity rating.
Frequently asked questions
Does this affect all Arista EOS deployments?
No. The vulnerability only manifests on switches configured with 802.1X authentication in multi-auth mode and with a fallback VLAN present. Standard single-auth 802.1X configurations or networks without fallback VLANs are not affected. Verify your port configurations and authentication policies to determine exposure.
What is multi-auth mode and why is it vulnerable here?
Multi-auth mode allows multiple devices to authenticate independently on a single switch port (common in converged networks with VoIP, printers, and computers). The flaw occurs when the switch's authentication logic incorrectly trusts the presence of an EAPOL-capable device in the fallback VLAN as a signal to bypass full authentication for unauthenticated supplicants, rather than enforcing sequential handshakes.
Is there a workaround if I cannot patch immediately?
Short-term mitigations include: disabling fallback VLAN on high-sensitivity ports, restricting which devices can reside in fallback VLANs, and enabling detailed 802.1X logging to detect unauthorized transitions. Implement supplementary network access control (NAC) rules that do not rely solely on 802.1X state. These are not substitutes for patching but can reduce risk until updates are applied.
How do I verify if my Arista switches are affected?
Check your current EOS version and confirm whether 802.1X multi-auth and fallback VLAN are enabled on any ports. Contact Arista support with your configuration details to confirm compatibility with available fixes. Lab testing of patches before production deployment is strongly recommended.
This analysis is based on the published CVE record as of the modification date. Arista has not been listed on the KEV catalog; this does not indicate absence of active exploitation. Patch availability, affected version ranges, and specific remediation timelines should be verified directly with Arista Networks. Organizations should conduct their own risk assessment and testing before applying updates in production environments. SEC.co does not provide warranty or guarantee regarding the completeness or accuracy of third-party vendor information referenced herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2019-25716MEDIUMDräger Patient Monitor Denial-of-Service Vulnerability