CVE-2020-9015

CRITICAL

Arista restricted shell escape (with privesc)

Title source: metasploit

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-9015. PoCs published by Chris Anders, including Metasploit module exploits/unix/ssh/arista_tacplus_shell.

AI-analyzed exploit summary This Metasploit module exploits CVE-2020-9015, a privilege escalation vulnerability in Arista's restricted shell (rbash) via TACACS+ misconfiguration. It leverages SSH to escape the restricted shell and execute a reverse TCP shell payload.

Description

Arista DCS-7050QX-32S-R 4.20.9M, DCS-7050CX3-32S-R 4.20.11M, and DCS-7280SRAM-48C6-R 4.22.0.1F devices (and possibly other products) allow attackers to bypass intended TACACS+ shell restrictions via a | character. NOTE: the vendor reports that this is a configuration issue relating to an overly permissive regular expression in the TACACS+ server permitted commands

Exploits (1)

metasploit WORKING POC GREAT

by Chris Anders · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ssh/arista_tacplus_shell.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-9015, a privilege escalation vulnerability in Arista's restricted shell (rbash) via TACACS+ misconfiguration. It leverages SSH to escape the restricted shell and execute a reverse TCP shell payload.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Arista Networks EOS (with TACACS+ and rbash)

Auth required

Prerequisites: Valid SSH credentials (username/password) · TACACS+ read-only account access · Network access to target on port 22

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory x_refsource_misc

https://securitybytes.me

Broken Link x_refsource_misc

https://securitybytes.me/posts/cve-2020-9015/

Various Sources x_refsource_misc

https://eos.arista.com/arista-eos-is-not-vulnerable-to-cve-2020-9015/

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/158119/Arista-Restricted-Shell-Escape-Privilege-Escalation.html

Scores

CVSS v3 9.8

EPSS 0.1608

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (3)

arista/dcs-7050cx3-32s-r_firmware 4.20.11m

arista/dcs-7050qx-32s-r_firmware 4.20.9m

arista/dcs-7280sram-48c6-r_firmware 4.22.0.1f

Published Feb 20, 2020

Tracked Since Feb 18, 2026