CVE-2026-25620

Description

An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier software releases are not exposed.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

High

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

Low

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

Low

Integrity (Subsequent System)

Low

Availability (Subsequent System)

Low

Scope

Physical

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Affected products

Arista Networks / Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)17.4.0 – 17.4.0

References

VENDOR_ADVISORYhttps://www.arista.com/en/support/advisories-notices/security-advisory/22867-security-advisory-0133