CVE-2026-25621 PUBLISHED

Arista Edge Threat Management NGFW Reports Application Insecure Input Validation

Assigner: Arista
Reserved: 03.02.2026 Published: 05.06.2026 Updated: 05.06.2026

A Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects version 17.4.0; earlier software releases are not exposed.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P
CVSS Score: 7

Product Status

Vendor Arista Networks
Product Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)
Versions Default: unaffected
  • Version 17.4.0 is affected

Affected Configurations

In order to be vulnerable, the following cumulative conditions must be satisfied:

  • An NGFW system running exactly version 17.4.0.
  • Successful administrative interface access authentication privileges verified.
  • Navigation to the Reports application dashboard under the Data subsystem.
  • Processing an upload interaction within the Import/Restore Data Backup Files field utilizing a specially crafted malicious input file.

Workarounds

Per operational best practice security models, do not allow unauthorized administrative access to the administrative browser.

Solutions

The recommended resolution is to upgrade to NGFW Version 17.4.1 at your earliest convenience.

Credits

  • Jon Williams & Ronan Kervella from Bishop Fox finder

References

Problem Types

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE

Impacts

  • CAPEC-88 OS Command Injection