In order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:
\nswitch>show ip security connection\nLegend: (P) policy based VPN tunnel\nTunnel Source Dest Status Uptime Input Output Rekey Time\nTunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.If IPsec is not configured there is no exposure to this issue and the message will look like:
\nswitch>show ip security connection\nLegend: (P) policy based VPN tunnel.On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.
"}],"value":"On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer."}],"impacts":[{"capecId":"CAPEC-125","descriptions":[{"lang":"en","value":"CAPEC-125 Flooding"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1286","description":"CWE-1286: Improper Validation of Syntactic Correctness of Input","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-04T23:04:56.535Z","orgId":"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7","shortName":"Arista"},"references":[{"tags":["vendor-advisory"],"url":"https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades
After upgrading to a remediated version of software, the system TCAM profile must be changed to ipsec-egress-padding-removal: https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal.
This may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.
switch(config)#hardware tcam\nswitch(config-tcam)#system profile ipsec-egress-padding-removal\n!\nWARNING!\nChanging TCAM profile will cause forwarding agent(s) to exit and restart.\nAll traffic through the forwarding chip managed by the restarting\nforwarding agent will be dropped.\n \nProceed [y/n]y\nswitch(config-tcam)#\n
To ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match ipsec-egress-padding-removal:
switch(config-tcam)#show hardware tcam profile\n Configuration Status\nFixedSystem ipsec-egress-padding-removal \nipsec-egress-padding-removal\n
‘ipsec-egress-padding-removal’ differs from the ‘ipsec’ TCAM profile in two ways:
There are no mitigations for this vulnerability.
"}],"value":"There are no mitigations for this vulnerability."}],"x_generator":{"engine":"Vulnogram"}}},"cveMetadata":{"assignerOrgId":"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7","assignerShortName":"Arista","cveId":"CVE-2025-8873","datePublished":"2026-06-04T23:04:56.535Z","dateReserved":"2025-08-11T18:28:43.460Z","dateUpdated":"2026-06-04T23:04:56.535Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-04 23:16:48","lastModifiedDate":"2026-06-05 15:02:34","problem_types":["CWE-1286","CWE-1286 CWE-1286: Improper Validation of Syntactic Correctness of Input"],"metrics":{"cvssMetricV40":[{"source":"psirt@arista.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"psirt@arista.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"8873","Ordinal":"1","Title":"Arista EOS Dataplane Denial of Service via Malformed IPsec Packe","CVE":"CVE-2025-8873","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"8873","Ordinal":"1","NoteData":"On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.","Type":"Description","Title":"Arista EOS Dataplane Denial of Service via Malformed IPsec Packe"}]}}}