CVE-2024-9131

High

Published: 10 January 2025

Published

10 January 2025

Modified

29 September 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 56.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A user with administrator privileges can perform command injection

Security Summary

CVE-2024-9131 is a command injection vulnerability (CWE-88) that affects Arista products. Published on 2025-01-10, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The flaw enables a user with administrator privileges to perform command injection.

An attacker requires administrator privileges (PR:H) to exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), potentially allowing full system compromise.

The Arista Security Advisory provides details on mitigation: https://www.arista.com/en/support/advisories-notices/security-advisory/20454-security-advisory-0105.

Details

CWE(s): CWE-88

Affected Products

arista

ng firewall

≤ 17.1.1

References

https://www.arista.com/en/support/advisories-notices/security-advisory/20454-security-advisory-0105
Vendor Advisory · psirt@arista.com