Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-1259

CVE-2025-1259: Arista EOS Information Disclosure Flaw

CVE-2025-1259 is an information disclosure vulnerability in Arista EOS with OpenConfig that allows unauthorized gNOI requests to expose sensitive data. This article covers the technical details, affected systems, and mitigation.

Published:

CVE-2025-1259 Overview

CVE-2025-1259 is an improper access control vulnerability [CWE-284] affecting Arista Networks EOS platforms with OpenConfig configured. The flaw allows a gRPC Network Operations Interface (gNOI) request to execute when it should have been rejected by authorization controls. Authenticated users with limited privileges can retrieve data that should be restricted to higher-privileged accounts. The issue affects the confidentiality of management plane data exposed through the gNOI service.

Critical Impact

Authenticated low-privilege users can issue gNOI requests that bypass authorization checks, exposing sensitive configuration and operational data on Arista EOS devices running OpenConfig.

Affected Products

  • Arista EOS with OpenConfig configured
  • Devices exposing the gNOI management interface
  • Refer to Arista Security Advisory #0111 for the full list of affected EOS train versions

Discovery Timeline

  • 2025-03-04 - CVE-2025-1259 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-1259

Vulnerability Analysis

The vulnerability resides in the authorization logic of the gNOI service on Arista EOS when OpenConfig is enabled. gNOI is a gRPC-based protocol that exposes operational primitives such as System, File, Cert, and OS services for network device management. EOS is expected to evaluate the caller's role against the requested gNOI RPC and reject calls that exceed the caller's privilege.

Under the affected configuration, certain gNOI requests bypass this evaluation. The request is dispatched to the underlying handler and returns data to the caller. The result is an information disclosure condition where a low-privileged authenticated user obtains data restricted to higher roles.

Root Cause

The root cause is improper access control [CWE-284] in the gNOI request dispatch path. The authorization check does not consistently apply to all RPCs exposed through OpenConfig integration, allowing requests to proceed without role enforcement.

Attack Vector

Exploitation requires network access to the device's gNOI endpoint and valid credentials with low privileges. The attacker issues a crafted gNOI RPC over gRPC. EOS executes the request and returns data, with the scope changed from the caller's authorized context to a broader administrative context. No user interaction is required, and impact is limited to confidentiality. The advisory describes the behavior without a public proof of concept. Refer to Arista Security Advisory #0111 for the affected RPCs and conditions.

Detection Methods for CVE-2025-1259

Indicators of Compromise

  • Unexpected gNOI RPC calls originating from accounts not assigned administrative roles
  • gRPC sessions to TCP port 6030 or other configured gNOI ports from non-management subnets
  • AAA accounting logs showing successful read operations on configuration or telemetry paths by limited-privilege users

Detection Strategies

  • Enable AAA command accounting and gRPC service logging on EOS and forward events to a centralized analytics platform
  • Baseline expected gNOI callers per role, then alert on any RPC executed by an account outside that baseline
  • Correlate gNOI session metadata, including username, source IP, and RPC method, against the authorization model defined in OpenConfig role mappings

Monitoring Recommendations

  • Ingest EOS syslog, AAA accounting, and gRPC audit events into a SIEM or data lake for retention and correlation
  • Alert on bulk reads of openconfig-interfaces, openconfig-system, or certificate-related paths by non-administrative principals
  • Monitor for new gNOI client identities, certificate fingerprints, or source ASNs interacting with the management plane

How to Mitigate CVE-2025-1259

Immediate Actions Required

  • Identify all EOS devices with OpenConfig and gNOI enabled and inventory accounts authorized to reach the management interface
  • Apply the fixed EOS release identified in Arista Security Advisory #0111
  • Rotate credentials and certificates used by accounts that had gNOI access prior to patching, in case of prior misuse

Patch Information

Arista has published fixed EOS versions in Arista Security Advisory #0111. Operators should consult the advisory to map their current EOS train to the corresponding remediated release and schedule an upgrade through standard change management.

Workarounds

  • Restrict gNOI and gRPC management access to a dedicated, ACL-protected management VRF reachable only from trusted jump hosts
  • Limit OpenConfig user accounts to administrators until the patch is applied, removing low-privileged accounts from the gNOI service
  • Require mutual TLS (mTLS) client certificates for gNOI sessions and revoke any certificates that are not strictly required
bash
# Example: restrict gNOI to a management VRF and ACL on Arista EOS
management api gnmi
   transport grpc MGMT
      vrf MGMT
      ip access-group GNOI-ALLOW
      ssl profile GNOI-MTLS
!
ip access-list GNOI-ALLOW
   10 permit tcp 10.0.0.0/24 any eq 6030
   20 deny ip any any log

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne