ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2024-27890 Authentication Bypass in Arista EOS OpenConfig gNMI Interface

A short review of CVE-2024-27890, a critical authentication bypass in Arista EOS that allows unauthorized gNMI Set requests to modify switch configuration on OpenConfig enabled platforms. Includes patch details and affected version information.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-04

Brief Summary: CVE-2024-27890 Authentication Bypass in Arista EOS OpenConfig gNMI Interface
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An authentication bypass in Arista EOS's OpenConfig implementation allows gNMI Set requests to modify switch configuration when they should be rejected, giving an attacker with network access to the management interface the ability to push unauthorized changes to data center switching infrastructure. With Arista holding a 21.3% share of the data center Ethernet switch market and over $9 billion in annual revenue, this vulnerability has the potential to affect a meaningful slice of global data center networks running programmable, OpenConfig enabled configurations.

Technical Information

Root Cause: CWE-306 Missing Authentication for Critical Function

CVE-2024-27890 is classified under CWE-306, which describes a weakness where software does not perform validation of user identity before allowing access to privileged application functionality. In this case, the gNMI Set request handler on Arista EOS platforms with OpenConfig configured fails to enforce proper authentication before executing configuration changes on the switch.

The gRPC Network Management Interface (gNMI) is a protocol defined by OpenConfig for the modification and retrieval of configuration from network target devices. As specified in the OpenConfig gNMI specification, the protocol defines "a gRPC based protocol for the modification and retrieval of configuration from a target device, as well as the control and generation of" telemetry data. The gNMI Set RPC is the specific operation that modifies device configuration. It specifies how to set one or more configurable attributes associated with a supported model, with a SetRequest sent from a client to a target device.

The core problem is that on affected EOS platforms, the authorization check that should gate the Set operation is missing or incorrectly implemented. A gNMI Set request can be executed when the system should have rejected it, resulting in "unexpected configuration" being applied to the switch.

CVSS v4.0 Vector Analysis

The CNA (Arista Networks) assessed this vulnerability with a CVSS v4.0 Base score of 7.2 HIGH using the vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N. The input sourced CVSS v3.x score is 9.6. The key vector components break down as follows:

Vector ComponentValueInterpretation
AV (Attack Vector)N (Network)Exploitable remotely over the network
AC (Attack Complexity)L (Low)No special conditions required
AT (Attack Requirements)N (None)No special pre conditions
PR (Privileges Required)L (Low)Low privilege access sufficient
UI (User Interaction)N (None)No user interaction needed
VI (Integrity Impact)H (High)High integrity impact to the vulnerable system
VA (Availability Impact)H (High)High availability impact to the vulnerable system

The combination of network based attack vector, low complexity, and low privilege requirements makes this vulnerability particularly accessible to attackers. There is no confidentiality impact (VC:N), which is consistent with the nature of the flaw: it enables unauthorized configuration writes, not data exfiltration.

Attack Flow

Based on the vulnerability mechanism, exploitation would proceed as follows:

  1. Identify target: The attacker identifies an Arista EOS switch with OpenConfig configured and the gNMI service reachable over the network.
  2. Establish gRPC connection: The attacker connects to the gNMI service endpoint on the target switch.
  3. Send gNMI Set request: With only low level privileges (or potentially bypassing authentication entirely given the CWE-306 classification), the attacker crafts and sends a gNMI SetRequest message containing configuration modifications.
  4. Configuration applied: The switch processes the SetRequest without proper authorization validation and applies the configuration changes. These changes could include modifications to routing tables, access control lists, administrative credentials, or other critical switch parameters.

Scope Limitation: OpenConfig Requirement

A critical scoping factor is that the vulnerability only affects platforms where OpenConfig is configured. Organizations not using OpenConfig on their Arista switches are not vulnerable. However, OpenConfig is widely adopted in large scale data center and cloud environments for programmable network management, which means the most automation driven and typically largest deployments are the ones at risk.

Arista Security Advisory 0099 covers a second vulnerability, CVE-2024-27892, which shares the same root cause and description. Both CVEs involve the same gNMI Set request authentication gap on OpenConfig configured platforms. The dual CVE assignment may reflect distinct code paths or affected component boundaries within the EOS OpenConfig implementation. CVE-2024-27892 additionally requires an SSL profile, distinguishing it from CVE-2024-27890.

Patch Information

Arista Networks addressed CVE-2024-27890 through both permanent fixes integrated into new EOS releases and interim hotfix packages. The advisory (Security Advisory 0099, published July 2, 2024, last revised July 25, 2024) documents the resolution. The fix enforces proper authorization checks on incoming gNMI Set requests so that only authenticated and authorized sessions can modify device configuration via the OpenConfig interface. This internal bug was tracked by Arista as BUG 747512.

Fixed EOS Versions

Release TrainFirst Fixed Version
4.30.x4.30.0M and onwards
4.29.x4.29.8M and later
4.28.x4.28.11M and later

Arista recommends upgrading to EOS 4.30.6, 4.31.3, or later to fully remediate both CVE-2024-27890 and the related CVE-2024-27892.

Hotfix Packages

For environments where a full version upgrade is not immediately feasible, Arista provides downloadable SWIX hotfix extensions. These are targeted binary patches that address both CVE-2024-27890 and CVE-2024-27892 in place. Hotfixes are available for the following EOS versions in both 32 bit and 64 bit variants:

  • EOS 4.30.5: e.g., sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix
  • EOS 4.29.7: e.g., sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix
  • EOS 4.28.10.1: e.g., sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix

Each hotfix download is accompanied by a SHA-512 hash for integrity verification.

Important Operational Notes

Installing or uninstalling the SWIX hotfix will cause the OpenConfig/Octa process to restart, potentially making gNMI services unavailable for up to one minute. After applying the extension, administrators must run copy installed-extensions boot-extensions to ensure the patch persists across reboots.

Interim Configuration Controls

While not a substitute for patching, the following measures can reduce exposure:

  • Disable OpenConfig on devices where it is not operationally required, eliminating the attack surface entirely.
  • Restrict gNMI network access using access control lists or management plane protection features.
  • Segment management networks to ensure the gNMI interface is only reachable from authorized management segments.

Affected Systems and Versions

The vulnerability affects Arista EOS platforms with OpenConfig configured. Specifically:

  • EOS 4.30.x releases prior to 4.30.0M
  • EOS 4.29.x releases prior to 4.29.8M
  • EOS 4.28.x releases prior to 4.28.11M

The vulnerability is only exploitable when OpenConfig is enabled on the device. Platforms without OpenConfig configured are not affected.

Vendor Security History

Arista Networks maintains an active security advisory program with advisories numbering at least up to Advisory 0136, indicating a steady cadence of vulnerability disclosure and remediation. Prior advisories include responses to widely known vulnerabilities such as CVE-2024-6387 (OpenSSH "regreSSHion") addressed in Advisory 0100. For previous vulnerabilities, Arista has stated they were "not aware of any malicious uses of this issue in customer networks," suggesting a generally proactive security posture.

OpenCVE tracks multiple Arista EOS CVEs, including recent entries such as CVE-2025-8870 involving serial console input causing unexpected device reload. This pattern of ongoing vulnerability discoveries is consistent with the complexity of a Linux based modular network operating system. Arista also employs a "CVE Scanner" automated process that searches for publicly disclosed vulnerabilities in open source packages used in EOS, supporting their patch development and advisory publication workflow.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization