How is CVE-2026-25623 exploited?

Network reachability (required): The attacker must reach the NGFW management UI over the network; the service must be exposed to the attacker's network path. Authentication (required): A valid administrator account is required; the attacker must possess or compromise high-privilege credentials before exploiting the flaw. Victim interaction (not-required): No action from another user or victim is needed; the attacker operates entirely through their own authenticated session. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.

What is the impact of CVE-2026-25623?

Reads sensitive data accessible to the underlying host process, including configuration files, credentials, and stored session material. Modifies files or runtime state on the firewall host within the permissions of the executing process. Partially disrupts normal operation of the firewall service, affecting traffic inspection and availability. Produces limited spillover impact on adjacent systems or services connected to the firewall's management plane.

Back to search

HIGHCVE-2026-25623Published 2026-06-05Modified 2026-06-05CNA Arista

CVE-2026-25623: Arista Edge Threat Management NGFW UI Arbitrary Command Execution

An input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Authenticated administrators can leverage this exposure to obtain underlying terminal script code processing execution permissions.

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An input validation flaw in the browser-based management UI of Arista Edge Threat Management Next Generation Firewall (NGFW) allows command execution on the underlying host. The vulnerability is reachable over the network and requires a valid administrator account to exploit, derived from the CVSS vector (AV:N, PR:H). Successful exploitation grants an attacker the ability to execute arbitrary terminal commands on the firewall host, with partial impact on confidentiality, integrity, and availability of both the local and adjacent scope. No fix version has been published by Arista; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that package affected NGFW components at or below version 17.4.0. Any matching image in a connected registry or CI pipeline is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.0 (HIGH) and weighting it further against each customer organization's compliance policy to determine urgency. Triage routing routes the alert to the appropriate team inbox within each org based on configured ownership rules.

Available

Patch

Because no fix version has been published by Arista, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the NGFW management UI over the network; the service must be exposed to the attacker's network path.
AuthenticationRequired
A valid administrator account is required; the attacker must possess or compromise high-privilege credentials before exploiting the flaw.
Victim interactionNot required
No action from another user or victim is needed; the attacker operates entirely through their own authenticated session.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.

Blast Radius

Reads sensitive data accessible to the underlying host process, including configuration files, credentials, and stored session material.
Modifies files or runtime state on the firewall host within the permissions of the executing process.
Partially disrupts normal operation of the firewall service, affecting traffic inspection and availability.
Produces limited spillover impact on adjacent systems or services connected to the firewall's management plane.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across customer environments, with affected images (those packaging Arista NGFW at or below version 17.4.0) flagged automatically on each scan cycle. Because Arista has not published a fix version, HarborGuard monitors the advisory continuously and will make a patched-image rebuild available immediately upon upstream release. For customers with auto-remediation enabled, the rebuild and regression run will trigger without manual intervention at that point. In the interim, compensating controls worth considering include network-policy isolation to restrict access to the NGFW management UI to trusted administrator source ranges only, egress filtering to limit lateral movement from the firewall host, and auditing of administrator account access to detect unauthorized credential use. HarborGuard will surface a remediation action and open a PR against affected workloads as soon as a patched base image becomes available.

See how HarborGuard automates this

Affected packages

Arista Networks / Arista Edge Threat Management - Arista Next Generation Firewall (NGFW)
≤ 17.4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:P

References

arista.com

Metrics

Get notified