CVE-2025-5088 HIGH

CVE-2025-5088: Arista CloudVision Exchange (CVX) Cluster Privilege Escalation via MCS Redis Session

Vendor Arista Networks
Product EOS / CloudVision eXchange (CVX)
Weakness CWE-269
Published June 5, 2026
Last update June 9, 2026

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.

Key dates

02Disclosure timeline

June 5, 2026 CVE published
June 9, 2026 Record updated