How is CVE-2026-25622 exploited?

Network reachability (required): The attacker must reach the NGFW management interface over the network; the vulnerable handler is exposed via the web-based UI. Authentication (required): An administrative account is needed; any user holding admin-level privileges in the management UI is sufficient to trigger the injection. Victim interaction (not-required): No action by a second user or victim is needed; the attacker interacts directly with the interface on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond holding admin credentials.

What is the impact of CVE-2026-25622?

The attacker executes arbitrary shell commands on the underlying platform, gaining direct OS-level access beneath the firewall application. Confidentiality impact is high: the attacker reads sensitive platform data including credentials, configuration files, and stored secrets accessible to the shell. Integrity of the host is partially affected: the attacker modifies files, configurations, or persisted state on the platform. Availability of the host is partially affected: the attacker disrupts running processes or degrades service operation on the appliance.

Back to search

HIGHCVE-2026-25622Published 2026-06-05Modified 2026-06-05CNA Arista

CVE-2026-25622: Arista Edge Threat Management NGFW Captive Portal Custom Handler Command Injection

A Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an administrative account logged into the user interface can exploit this input handling behavior to execute arbitrary platform shell commands.

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A command injection vulnerability exists in the Captive Portal Custom Handler component of Arista Edge Threat Management NGFW (versions up to and including 17.4.0). The vulnerability is reachable over the network by an authenticated administrative user through the product's web-based management interface, with no victim interaction required. Successful exploitation allows the attacker to execute arbitrary shell commands on the underlying platform. No fix version has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Arista NGFW components. Any image found running an affected version (17.4.0 or earlier) is flagged immediately.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.0 (HIGH) and weighting it against each environment's compliance policy to determine priority. Triage routing directs the alert to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Arista advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, the finding remains open and visible in each affected environment's vulnerability queue.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the NGFW management interface over the network; the vulnerable handler is exposed via the web-based UI.
AuthenticationRequired
An administrative account is needed; any user holding admin-level privileges in the management UI is sufficient to trigger the injection.
Victim interactionNot required
No action by a second user or victim is needed; the attacker interacts directly with the interface on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond holding admin credentials.

Blast Radius

The attacker executes arbitrary shell commands on the underlying platform, gaining direct OS-level access beneath the firewall application.
Confidentiality impact is high: the attacker reads sensitive platform data including credentials, configuration files, and stored secrets accessible to the shell.
Integrity of the host is partially affected: the attacker modifies files, configurations, or persisted state on the platform.
Availability of the host is partially affected: the attacker disrupts running processes or degrades service operation on the appliance.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-25622 at this time, the advisory is re-evaluated on every ingest cycle so a patched-image rebuild becomes available automatically the moment Arista publishes a fix. While waiting for an upstream patch, customers can apply compensating controls through HarborGuard-generated network policy recommendations, such as restricting management-interface exposure to a dedicated admin VLAN or VPN segment to reduce the pool of accounts that can reach the vulnerable handler. For customers who opt into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be initiated without delay once a fix version is published. The finding remains surfaced in each affected environment's open vulnerability queue with its CVSS 7.0 HIGH severity score until resolution.

See how HarborGuard automates this

Affected packages

Arista Networks / Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)
≤ 17.4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P

References

arista.com

Metrics

Get notified