Topic starter
Description
On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected.
Affected Software
CloudVision Portal Versions
- 2024.2.0 and 2024.2.1
- 2024.3.0
Â
Affected Platforms
The following products are affected by this vulnerability:
- CloudVision Portal, virtual appliance or physical appliance
- CloudVision CUE, virtual appliance or physical appliance
Mitigation
The ZTP component on CloudVision (on-premise) can be disabled by running the following on any of the nodes of the CloudVision deployment.
cvpi disable ztp cvpi stop ztp
The following command can be used to verify that the component is stopped:
cvpi status ztp Executing command. This may take some time... Completed 1/1 discovered actions primary components total:1 running:0 disabled:1
Â
Resolution
The recommended resolution is to upgrade to a remediated software version at your earliest convenience.Â
Â
CVE-2025-0505 has been fixed in the following releases:
-
-
- 2024.2.2 and later releases in the 2024.2.x train
- 2024.3.1 and later releases in the 2024.3.x train
-
References
https://www.arista.com/en/support/advisories-notices/security-advisory/21315-security-advisory-0115
Posted : 21/02/2026 4:25 am
