CVE-2021-28503

In Arista's EOS software affected releases, eAPI might skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.

Description

The impact of this vulnerability is that Arista's EOS eAPI may skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.

Remediation

Solution:

  • The recommended resolution is to upgrade to a remediated software version at your earliest convenience. The vulnerability is fixed in the following EOS versions: 4.26.3 and later releases in the 4.26.x train 4.25.6 and later releases in the 4.25.x train 4.24.8 and later releases in the 4.24.x train 4.23.10 and later releases in the 4.24.x train

Workaround:

  • Disallowing user certificate authentication via eAPI can be used to mitigate the vulnerability. switch(config)#management security switch(config-mgmt-security)#ssl profile profileEAPI switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert switch(config-mgmt-sec-ssl-profile-profileEAPI)#exit

Categories

7.4
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.45%
Vendor Advisory arista.com
Affected: Arista Networks Arista EOS
Published at:
Updated at:

References

Link Tags
https://www.arista.com/en/support/advisories-notices/security-advisories/13605-security-advisory-0072 patch vendor advisory mitigation

Frequently Asked Questions

What is the severity of CVE-2021-28503?
CVE-2021-28503 has been scored as a high severity vulnerability.
How to fix CVE-2021-28503?
To fix CVE-2021-28503: The recommended resolution is to upgrade to a remediated software version at your earliest convenience. The vulnerability is fixed in the following EOS versions: 4.26.3 and later releases in the 4.26.x train 4.25.6 and later releases in the 4.25.x train 4.24.8 and later releases in the 4.24.x train 4.23.10 and later releases in the 4.24.x train
Is CVE-2021-28503 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-28503 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-28503?
CVE-2021-28503 affects Arista Networks Arista EOS.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.