CVE-2020-9015

CRITICAL

Arista restricted shell escape (with privesc)

Title source: metasploit

Description

Arista DCS-7050QX-32S-R 4.20.9M, DCS-7050CX3-32S-R 4.20.11M, and DCS-7280SRAM-48C6-R 4.22.0.1F devices (and possibly other products) allow attackers to bypass intended TACACS+ shell restrictions via a | character. NOTE: the vendor reports that this is a configuration issue relating to an overly permissive regular expression in the TACACS+ server permitted commands

Exploits (1)

metasploit WORKING POC GREAT

by Chris Anders · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ssh/arista_tacplus_shell.rb

View Code ZIP pw:eip

References (4)

[Various Sources] https://eos.arista.com/arista-eos-is-not-vulnerable-to-cve-2020-9015/

[Third Party Advisory] https://securitybytes.me

[Broken Link] https://securitybytes.me/posts/cve-2020-9015/

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/158119/Arista-Restricted-Shell-Escape-Privilege-Escalation.html

Scores

CVSS v3 9.8

EPSS 0.7841

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (3)

arista/dcs-7050cx3-32s-r_firmware 4.20.11m

arista/dcs-7050qx-32s-r_firmware 4.20.9m

arista/dcs-7280sram-48c6-r_firmware 4.22.0.1f

Published Feb 20, 2020

Tracked Since Feb 18, 2026