← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2024-27890 · CWE-306 · Disclosed 2026-06-04

Affected platforms running Arista EOS with OpenConfig configured

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a master key hidden behind the building’s badge-reader, not a front-door lock anyone can jiggle

CVE-2024-27890 is an authorization failure in Arista EOS OpenConfig/gNMI handling: a gNMI Set request can succeed when policy says it should be rejected, letting an attacker push unauthorized configuration to the switch. Arista says affected releases are 4.29.7M and below in the 4.29.x train, 4.28.10M and below in 4.28.x, plus older 4.27.x through 4.24.x trains; fixed code is in 4.30.0M+, 4.29.8M+, and 4.28.11M+, with SA99 hotfixes for selected interim releases.

Arista's 9.6 CRITICAL score is technically defensible *if* you assume a reachable management listener and a usable low-privilege gNMI identity. In enterprise reality, that assumption is the whole fight: OpenConfig must be explicitly enabled, the target is usually on a management network, many shops do not expose TCP/6030 broadly, and this is a single-device management-plane compromise rather than unauthenticated internet-wide RCE. That keeps it serious, but not top-of-pile drop everything critical for most fleets.

"Bad on the box, narrower in the real world: this is a management-plane authz flaw, not an internet-scale fire drill."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the gNMI management listener with gnmic

The attacker first needs network reachability to the EOS gNMI service, typically on TCP/6030, and the device must have OpenConfig/gNMI enabled. Arista's advisory shows the vulnerable state explicitly in show management api gnmi, and common gNMI tooling like gnmic can talk to the service directly.
Conditions required:
  • Target switch is running an affected EOS release
  • OpenConfig/gNMI is enabled on the device
  • Attacker can route to the management-plane listener
Where this breaks in practice:
  • Management interfaces are often isolated from user and internet-facing networks
  • Many enterprises never enable OpenConfig/gNMI on large portions of the fleet
  • ACLs, jump hosts, and out-of-band networks commonly shrink exposure
Detection/coverage: External vuln scanners will usually miss this unless they authenticate and understand EOS management services. Basic exposure checks can still flag reachable TCP/6030.
STEP 02

Present a valid low-privilege identity

Arista's CVSS sets PR:L, so the realistic read is that the attacker needs some authenticated or otherwise accepted gNMI principal, but not an administrative one. In practice this is usually an automation account, client certificate identity, or management credential accepted by the gNMI service.
Conditions required:
  • Attacker has a usable gNMI identity or low-privilege credential
  • AAA/mTLS configuration accepts that identity for session establishment
Where this breaks in practice:
  • Stealing or minting management-plane credentials is already a post-initial-access step
  • Well-run environments segregate automation credentials from user workstations
  • mTLS and source-IP restrictions can make credential reuse fail
Detection/coverage: AAA logs, TACACS/RADIUS, or gNMI session logs may show unexpected session establishment, but coverage is uneven.
STEP 03

Send unauthorized Set RPC with gnmic set or pygnmi

The attacker issues a crafted Set request against a path that should have been denied by authorization checks. The vulnerable code path allows configuration mutation instead of rejecting the request, turning a low-privilege management identity into an unauthorized config writer.
Conditions required:
  • Target path is writable through the affected OpenConfig/gNMI implementation
  • The deployment has not enforced per-RPC authorization to block OpenConfig.Set
Where this breaks in practice:
  • Many environments use gNMI for telemetry reads more than configuration writes
  • Per-RPC authorization can stop the exact dangerous method even when gNMI stays enabled
  • Attackers need enough EOS/OpenConfig knowledge to change the right objects cleanly
Detection/coverage: Accounting for gNMI RPCs and config-change logging is the best bet. Generic network IDS is unlikely to understand the semantic difference between allowed and unauthorized Set operations.
STEP 04

Apply switch config and create impact

Once the Set lands, the attacker can alter live switch behavior: ACLs, routes, interfaces, telemetry endpoints, or other device configuration depending on model and enabled paths. On infrastructure gear that can mean local outage, traffic redirection, monitoring blind spots, or a foothold for later lateral movement across the management plane.
Conditions required:
  • Attacker chooses valid config objects supported on that device/release
  • Change survives any rollback or config management reconciliation
Where this breaks in practice:
  • Impact is usually bounded to the reachable device or automation blast radius, not arbitrary code execution on every host
  • Network automation pipelines may overwrite rogue changes quickly
  • NOC visibility is high when a switch starts behaving strangely
Detection/coverage: Config drift tooling, syslog change events, and controller-side state reconciliation are strong ways to catch post-exploitation effects.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public exploitation evidence in the sources reviewed. Arista explicitly says it is *not aware of any malicious uses in customer networks*.
KEV statusNot listed in CISA KEV in the current catalog reviewed during this assessment.
Proof-of-concept availabilityNo widely circulated public exploit repo was found in source review. Practical weaponization is still straightforward for anyone already using standard gNMI clients such as gnmic or pygnmi.
EPSSNo reliable EPSS value was retrieved from a primary source in this run. Treat threat likelihood as driven more by management-plane exposure than by public exploit buzz.
Vendor CVSS9.6 CRITICAL with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H — high integrity/availability impact, but it already assumes the attacker has a low-privilege foothold on the gNMI plane.
Affected versions4.29.7M and below in 4.29.x; 4.28.10M and below in 4.28.x; 4.27.8M and below in 4.27.x; 4.26.9M and below in 4.26.x; 4.25.10M and below in 4.25.x; 4.24.11M and below in 4.24.x.
Fixed versionsPatched in 4.30.0M+, 4.29.8M+, and 4.28.11M+. Arista also published SA99 hotfixes for 4.30.5, 4.29.7, and 4.28.10.1.
Exposure preconditionThe advisory is unusually clear: for CVE-2024-27890 the only required product-side condition is that OpenConfig must be enabled. If show management api gnmi returns Enabled: no transports enabled, there is no exposure.
Public exposure signalNo trustworthy GreyNoise/Censys/Shodan count for this CVE was found in reviewed sources. Real exposure depends on whether your EOS management listener on TCP/6030 is reachable outside tightly controlled automation networks.
Disclosure / provenanceThe date in the prompt is wrong: this issue was initially released on 2024-07-02, revised on 2024-07-08, and the advisory currently carries 2024-07-25 as its date. Arista says the issue was discovered internally.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (7.4/10)

The decisive downgrade driver is management-plane reachability plus feature gating: the target must have OpenConfig/gNMI enabled and be reachable on a network segment that is usually far narrower than the general enterprise edge. Once that condition is met the impact is very real because unauthorized switch configuration can cause outages or policy tampering on critical infrastructure gear.

HIGH Affected-version and fix-version mapping from Arista SA0099
MEDIUM Real-world exposure reduction from management-network placement and OpenConfig enablement
MEDIUM No-current-public-exploitation assessment

Why this verdict

  • Downgrade for feature gating: the box is not exposed unless OpenConfig/gNMI is actually enabled.
  • Downgrade for attacker position: PR:L implies the attacker already has a usable management-plane identity, which is post-initial-access in most enterprises.
  • Downgrade for reachable population: EOS management services usually live on restricted management networks, not broad end-user address space or internet edge.
  • Hold at HIGH for blast radius: if exploited on a core or aggregation switch, unauthorized config changes can directly disrupt traffic, security controls, or visibility.
  • Hold at HIGH for tooling simplicity: once on the management plane, the exploit path is not exotic; standard gNMI clients can exercise Set operations.

Why not higher?

This is not unauthenticated internet-facing code execution, and it does not hit every EOS deployment by default. The chain assumes a prior foothold on the management plane plus an explicitly enabled feature, which sharply narrows both attacker population and exposed asset count.

Why not lower?

The affected asset class is network infrastructure, not a low-value edge utility. If an attacker can abuse this on reachable switches, the resulting unauthorized configuration changes can create immediate outage or traffic-manipulation impact, which is too operationally dangerous to file as routine medium-severity hygiene.

05 · Compensating Control

What to do — in priority order.

  1. Disable gNMI where unused — If a switch does not need OpenConfig/gNMI, remove the listener with no management api gnmi. This is the cleanest exposure kill-switch and should be deployed within 30 days for all non-automation-managed devices.
  2. Enforce per-RPC authorization — Turn on authorization for gNMI requests and ensure no low-privilege principal can invoke OpenConfig.Set. This directly targets the vulnerable behavior and should be applied within 30 days on devices that must keep gNMI enabled.
  3. Restrict TCP/6030 to controllers only — Use management-plane ACLs, out-of-band segmentation, or firewalls so only your automation controllers and jump hosts can reach the gNMI service. Do this within 30 days to collapse the reachable population even before upgrades finish.
  4. Audit automation identities — Review client certs, service accounts, and AAA mappings used for gNMI access; remove stale principals and validate least privilege. Complete this within 30 days because PR:L is the prerequisite that makes this flaw matter.
  5. Watch for gNMI config writes — Enable logging/accounting that highlights Set operations and unexpected config drift so you can catch exploitation or testing fast. Stand this up within 30 days on high-value switching tiers.
What doesn't work
  • A WAF does nothing here; this is a gNMI management-plane service, not HTTP application traffic.
  • MFA on admin portals is not a control for gNMI if automation credentials or client certs remain valid.
  • A generic internet IDS signature is weak protection when the likely attack path runs over private management networks with legitimate gNMI tooling.
06 · Verification

Crowdsourced verification payload.

Run this on the EOS switch itself from a privileged shell session that can invoke Cli -p 15, or via an EOS bash shell obtained through your normal break-glass/admin method. Invoke it as bash check_cve_2024_27890.sh; it needs privilege to run show version, show management api gnmi, and show extensions.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2024_27890.sh
# Determine likely exposure to CVE-2024-27890 on Arista EOS.
# Outputs one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

run_cli() {
  Cli -p 15 -c "$1" 2>/dev/null
}

VERSION_OUT="$(run_cli 'show version')"
GNMI_OUT="$(run_cli 'show management api gnmi')"
EXT_OUT="$(run_cli 'show extensions')"

if [[ -z "$VERSION_OUT" || -z "$GNMI_OUT" ]]; then
  echo "UNKNOWN - unable to query EOS CLI via 'Cli -p 15'"
  exit 2
fi

VERSION_LINE="$(echo "$VERSION_OUT" | grep -Ei 'Software image version|System image file is|image version' | head -n1)"
VERSION_RAW="$(echo "$VERSION_LINE" | sed -E 's/.*version[: ]+//I; s/.*EOS-//' | awk '{print $1}')"

if [[ -z "$VERSION_RAW" ]]; then
  echo "UNKNOWN - could not parse EOS version"
  exit 2
fi

GNMI_ENABLED="no"
if echo "$GNMI_OUT" | grep -qi 'Enabled:[[:space:]]*yes'; then
  GNMI_ENABLED="yes"
elif echo "$GNMI_OUT" | grep -qi 'Enabled:[[:space:]]*no transports enabled'; then
  GNMI_ENABLED="no"
fi

if [[ "$GNMI_ENABLED" == "no" ]]; then
  echo "PATCHED - OpenConfig/gNMI is not enabled, so this device is not exposed to CVE-2024-27890"
  exit 0
fi

if echo "$EXT_OUT" | grep -q 'sa99-CVE-2024-27890'; then
  echo "PATCHED - SA99 hotfix for CVE-2024-27890 appears installed"
  exit 0
fi

# Extract numeric parts from versions like 4.29.7M, 4.28.10.1M, 4.30.0M
NUM="$(echo "$VERSION_RAW" | sed -E 's/[^0-9.].*$//')"
IFS='.' read -r MAJ MIN PAT EXTRA <<< "$NUM"
MAJ=${MAJ:-0}
MIN=${MIN:-0}
PAT=${PAT:-0}
EXTRA=${EXTRA:-0}

# Only EOS 4.x logic is encoded from Arista SA0099.
if [[ "$MAJ" -ne 4 ]]; then
  echo "UNKNOWN - version '$VERSION_RAW' is outside the trains covered by this checker"
  exit 2
fi

# Patched trains per advisory:
# 4.30.0M+
# 4.29.8M+
# 4.28.11M+
# Older 4.24-4.27 trains are affected and require upgrade to a fixed train or hotfix where applicable.

if (( MIN >= 30 )); then
  echo "PATCHED - EOS $VERSION_RAW is in 4.30.0M+ train"
  exit 0
fi

if (( MIN == 29 )); then
  if (( PAT >= 8 )); then
    echo "PATCHED - EOS $VERSION_RAW is in 4.29.8M+"
    exit 0
  else
    echo "VULNERABLE - OpenConfig/gNMI enabled on affected 4.29.x release ($VERSION_RAW)"
    exit 1
  fi
fi

if (( MIN == 28 )); then
  if (( PAT >= 11 )); then
    echo "PATCHED - EOS $VERSION_RAW is in 4.28.11M+"
    exit 0
  else
    echo "VULNERABLE - OpenConfig/gNMI enabled on affected 4.28.x release ($VERSION_RAW)"
    exit 1
  fi
fi

if (( MIN >= 24 && MIN <= 27 )); then
  echo "VULNERABLE - OpenConfig/gNMI enabled on affected legacy train ($VERSION_RAW); move to a fixed train or vendor hotfix path"
  exit 1
fi

echo "UNKNOWN - version '$VERSION_RAW' not covered by explicit advisory logic"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, identify every EOS device where show management api gnmi is enabled, then split the list into internet-reachable, shared-management-network, and tightly isolated automation-only segments. For this HIGH reassessment, the noisgate mitigation SLA is ≤30 days: within that window disable gNMI where unused, restrict TCP/6030 to controllers/jump hosts, and enforce per-RPC authorization to block OpenConfig.Set; the noisgate remediation SLA is ≤180 days to complete EOS upgrades or SA99 hotfix rollout, prioritizing core and aggregation switches first because those carry the largest outage blast radius.

Sources

  1. Arista Security Advisory 0099
  2. Arista Security Advisory 0099 PDF
  3. Arista OpenConfig Configuration Documentation
  4. Arista EOS User Manual
  5. CISA Known Exploited Vulnerabilities Catalog
  6. MITRE CVE Record Placeholder for CVE-2024-27890
  7. Rapid7 Vulnerability Database Entry
  8. Containerlab vEOS Notes on gNMI Service
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.