How is CVE-2026-25620 exploited?

Network reachability (required): The attacker must reach the Captive Portal service over the network; local or physical access is not sufficient on its own. Authentication (required): Exploitation requires a high-privilege (admin-level) account on the affected system; low-privilege credentials are not sufficient. Victim interaction (not-required): No user interaction is needed; the attacker can trigger the vulnerability without involving any other party. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other variable environmental factors.

What is the impact of CVE-2026-25620?

Reads sensitive data from the vulnerable component, including potentially encrypted password material handled by the Captive Portal framework. Makes limited modifications to data on the affected component and adjacent connected systems. Causes partial degradation of the affected service and limited impact on availability of connected system components. Scope is marked as Subsequent (physical) in the vector, meaning impact can extend beyond the primary vulnerable component to neighbouring systems.

Back to search

HIGHCVE-2026-25620Published 2026-06-05Modified 2026-06-05CNA Arista

CVE-2026-25620: Arista Edge Threat Management NGFW Captive Portal Encrypted Password Command Injection

An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier software releases are not exposed.

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a command injection vulnerability in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW), affecting only version 17.4.0. The vulnerability is reachable over the network and requires high-privilege (admin-level) credentials to exploit. Successful exploitation gives an attacker the ability to read sensitive data, make limited modifications, and cause partial service disruption on both the affected component and connected systems. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of publication, including custom-built images that bundle the Arista NGFW Captive Portal framework. Ingestion from upstream feeds, including Arista's own advisories, runs continuously so any image tagged with the affected version 17.4.0 is flagged without delay.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.0 (HIGH) and weighting it against each environment's compliance policy to prioritize or suppress the alert appropriately. Triage routing directs findings to the right team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published by Arista, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream releases a remediated version. In the meantime, HarborGuard surfaces the unresolved advisory in the findings feed so customers can apply compensating controls while waiting for an official fix.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Captive Portal service over the network; local or physical access is not sufficient on its own.
AuthenticationRequired
Exploitation requires a high-privilege (admin-level) account on the affected system; low-privilege credentials are not sufficient.
Victim interactionNot required
No user interaction is needed; the attacker can trigger the vulnerability without involving any other party.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other variable environmental factors.

Blast Radius

Reads sensitive data from the vulnerable component, including potentially encrypted password material handled by the Captive Portal framework.
Makes limited modifications to data on the affected component and adjacent connected systems.
Causes partial degradation of the affected service and limited impact on availability of connected system components.
Scope is marked as Subsequent (physical) in the vector, meaning impact can extend beyond the primary vulnerable component to neighbouring systems.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Arista advisory for CVE-2026-25620 across every customer environment running container images that include the affected NGFW Captive Portal framework at version 17.4.0. Because Arista has not yet published a fix, HarborGuard will automatically queue a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a remediated version is released upstream. While waiting for the official fix, customers can use HarborGuard network-policy controls to restrict inbound access to the Captive Portal service to trusted admin source IPs only, reducing the exposure window for this admin-credential-required exploit. Egress filtering and feature-flag gating on the Captive Portal component are also available as compensating controls where the workload configuration allows it.

See how HarborGuard automates this

Affected packages

Arista Networks / Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)
17.4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P

References

arista.com

Metrics

Get notified