CVE-2025-8873: Arista EOS IPsec Denial of Service Vulnerability
A flaw in Arista EOS can be triggered by a specially crafted network packet when IPsec is enabled, causing the system to stop forwarding all IPsec-protected traffic. While the control plane may attempt to recover and restart IPsec processing, traffic flow may not resume afterward. Non-IPsec traffic and IPsec sessions not local to the affected device remain unaffected. An Arista customer first reported this issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-1286
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-8873 affects Arista EOS platforms configured with IPsec. A malformed packet can trigger a denial-of-service condition in the dataplane's IPsec processing pipeline, halting all IPsec traffic forwarding on the affected system. The control plane may detect the stalled pipeline and initiate a reset sequence; however, recovery does not guarantee resumption of traffic forwarding. The vulnerability stems from improper packet validation or state management in the IPsec implementation (CWE-1286: Improper Validation of Specified Quantity in Input). Transit traffic and non-IPsec flows bypass the affected dataplane component and are not impacted. Exploitation requires network-level access to send a specially crafted packet destined for or transiting through the device.
Business impact
Organizations relying on Arista EOS for IPsec-encrypted communications face potential service disruption. An attacker can render IPsec tunnels inoperative on a targeted device with a single malicious packet, interrupting encrypted site-to-site connections, remote access VPNs, or other IPsec-dependent workflows. Unlike a network-wide outage, the impact is confined to IPsec traffic on the compromised device; however, for environments where IPsec is a critical security boundary, this constitutes a high-priority availability and compliance risk. The lack of guaranteed recovery after a reset attempt increases operational complexity and may require manual intervention.
Affected systems
Arista EOS running on platforms with IPsec enabled. The vendor has not disclosed specific EOS versions or hardware models. Organizations should consult Arista's security advisory and verify which platforms and software versions in their environment are susceptible. Non-IPsec configurations are not affected.
Exploitability
The vulnerability requires no authentication, special privileges, or user interaction. Exploitation simply demands network-level access to send a crafted packet to or through the affected device. The CVSS score of 7.5 (High) reflects the low attack complexity and lack of access restrictions. However, practical exploitation may be limited by network segmentation or ingress filtering that prevents external attackers from sending malicious traffic to internal IPsec endpoints. Internal attackers or compromised adjacent systems on the same network segment pose a realistic threat.
Remediation
Arista will issue a patched version of EOS that resolves improper packet validation in the IPsec pipeline. Customers should apply the patch at the earliest opportunity, prioritizing devices on security-critical paths or exposed to untrusted networks. Until patching is feasible, implement network-based mitigations such as ingress filtering, rate limiting on suspected attack vectors, or restricting IPsec endpoints to trusted peer IP ranges. Monitor IPsec session state for unexpected resets or traffic interruptions.
Patch guidance
Consult the official Arista security advisory (linked from the vendor's security page) for the specific EOS version numbers containing the fix. Verify the patch availability for your hardware platform before scheduling maintenance. Test the patch in a non-production environment to confirm IPsec recovery behavior and confirm no regressions in non-IPsec traffic handling. Patch rollout should coordinate with change management and may require a controlled restart of affected devices.
Detection guidance
Monitor Arista EOS syslog and netflow telemetry for abrupt drops in IPsec traffic volume or repeated IPsec pipeline resets without corresponding configuration changes. Inspect packet captures on IPsec interfaces for malformed or anomalous frames preceding traffic loss. Configure alerting on IPsec session state changes, particularly unexpected transitions to "down" or repeated state flapping. Correlate any traffic loss with ingress firewall logs or IDS alerts that may indicate an attack source.
Why prioritize this
This vulnerability scores 7.5 (High) due to unauthenticated network-level exploitability and high availability impact. However, the attack surface is narrower than typical network-facing flaws: the attacker must reach an IPsec endpoint, and non-IPsec functions remain operational. Prioritize patching for Arista devices that terminate IPsec tunnels from untrusted or semi-trusted peers, or that bridge critical encrypted communications. Devices in fully internal networks with strict ingress controls may be deprioritized relative to externally accessible IPsec gateways.
Risk score, explained
CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H yields a base score of 7.5. The 'AV:N' (Attack Vector: Network) and 'AC:L' (Attack Complexity: Low) indicate an attacker can craft and deliver a malicious packet from the network without special conditions. 'PR:N' (no privileges required) and 'UI:N' (no user interaction) confirm the low barrier to exploitation. 'C:N/I:N' (no confidentiality or integrity impact) reflect that this is purely an availability attack. 'A:H' (Availability: High) captures the complete denial of IPsec forwarding. The score is not higher because the vulnerability is scoped to a single device and a specific traffic class (IPsec), not a system-wide or multi-user outage.
Frequently asked questions
Will this vulnerability affect my Arista devices if IPsec is not configured?
No. The vulnerability only manifests on systems with IPsec explicitly enabled. Devices running EOS without IPsec are unaffected, as the vulnerable code path is only active when IPsec processing is in use.
If my IPsec session is hit by this attack and then recovered, is my tunnel secure after recovery?
Recovery brings the tunnel back to normal operation, but the prior disruption caused a denial of service. The vulnerability is not a cryptographic or authentication bypass, so encrypted traffic remains protected once the pipeline recovers. However, the fact that recovery is not guaranteed after a reset is the core issue; you may need manual intervention to restore traffic.
Can an attacker on my LAN trigger this remotely, or does the malicious packet have to originate from a specific direction?
The vulnerability requires network-level access to send a crafted packet. If your IPsec endpoint is exposed to an untrusted network segment or if an internal attacker or compromised host exists on the same network, exploitation is feasible. Devices protected by strict ingress filtering or positioned behind a perimeter firewall that blocks crafted packets are at lower risk.
What should I do if I see repeated IPsec resets in my Arista logs but haven't deployed the patch yet?
Monitor logs and packet captures to identify the source of the malicious traffic. Implement temporary mitigations such as rate limiting on IPsec traffic, blocking suspect source IP ranges, or restricting IPsec peers to a whitelist of known trusted addresses. Schedule patching urgently and consider escalating to Arista support if you suspect active exploitation.
This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Vendor-specific details (affected versions, patch release dates, hardware models) have not been disclosed as of the publication date and must be verified against the official Arista security advisory. Organizations should consult their risk management and compliance teams before implementing mitigations. No exploit code or weaponized proof-of-concept has been published or tested against this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2019-25720MEDIUMDräger SC Monitoring DoS – Network Reboot Attack
- CVE-2019-25723MEDIUMDräger Perseus A500 Medibus DoS Vulnerability – CVSS 4.0 Analysis & Mitigation
- CVE-2021-4479MEDIUMDräger Atlan A350 Denial of Service via Medibus Interface
- CVE-2026-10099MEDIUMXX-Net V5.16.6 WebSocket Frame Parsing Data Corruption
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface