Arista Networks has released a critical security advisory detailing a severe vulnerability in its CloudVision Portal (CVP) software, tracked as CVE-2024-11186, carrying the highest possible CVSS score of 10.0. This flaw, if exploited, could enable a malicious authenticated user to perform broader actions on managed EOS devices than originally intended, potentially compromising entire network infrastructures.
βOn affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended,β Arista warned in the official advisory.
This vulnerability affects on-premise deployments of CloudVision Portal and does not impact CloudVision as-a-Service, significantly reducing the scope of exposure for cloud-hosted customers.
Arista confirms that a wide range of CVP software trains from 2017 through early 2024 are impacted. This includes:
All releases in the 2023.x, 2022.x, 2021.x, 2020.x, 2019.x, 2018.x, and 2017.x trainsSpecific affected branches: 2024.3.0 and below, 2024.2.1 and below, 2024.1.2 and belowAffected platforms include both virtual and physical appliances of CloudVision Portal.For CVE-2024-11186 to be exploitable, an attacker must first be authenticated to the CloudVision system. While this mitigates the risk of external exploitation, the vulnerability still poses a serious insider threat, especially in environments with shared access or compromised accounts.
βA user must be able to authenticate with CloudVisionβ to exploit this issue, Arista notes.
Arista recommends checking internal logs for anomalous activity. Specifically, administrators should inspect:
CVP logs starting with βRequest to execute:βRADIUS/TACACS logs on managed EOS devicesThese entries can help security teams identify unauthorized or suspicious commands executed via the compromised interface.
For those unable to immediately upgrade, Arista provides a temporary mitigation using an nginx configuration change:
location ^~ /cvpservice/di/ { return 404;}Follow this by restarting the nginx service using:
nginx-app.sh reloadThis blocks access to the vulnerable endpoint and provides a stopgap until a full patch can be applied.
Arista has released remediated software in the following versions:
2025.1.0 and later in the 2025.1.x train2024.3.1, 2024.2.2, and 2024.1.3 in their respective trainsCustomers are strongly encouraged to upgrade to the latest available patch train for full protection.