cbcvebase.
CVE-2020-9015
published 2020-02-20

CVE-2020-9015: Arista DCS-7050QX-32S-R 4.20.9M, DCS-7050CX3-32S-R 4.20.11M, and DCS-7280SRAM-48C6-R 4.22.0.1F devices (and possibly other products) allow attackers to bypass…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.08%
96.5th percentile
Arista DCS-7050QX-32S-R 4.20.9M, DCS-7050CX3-32S-R 4.20.11M, and DCS-7280SRAM-48C6-R 4.22.0.1F devices (and possibly other products) allow attackers to bypass intended TACACS+ shell restrictions via a | character. NOTE: the vendor reports that this is a configuration issue relating to an overly permissive regular expression in the TACACS+ server permitted commands

Affected

3 ranges
VendorProductVersion rangeFixed in
aristadcs-7050cx3-32s-r_firmware
aristadcs-7050qx-32s-r_firmware
aristadcs-7280sram-48c6-r_firmware

Detection & IOCsextracted from sources · hover to see the quote

command|
  • Monitor TACACS+ shell sessions on Arista devices for pipe character (`|`) injection attempts used to escape restricted shell environments.
  • A Metasploit module exists for this vulnerability targeting Arista devices via SSH with TACACS+ read-only accounts; monitor for exploitation attempts combining SSH access with privilege escalation.
  • ·The vulnerability is rooted in a misconfiguration — an overly permissive regular expression in the TACACS+ server permitted commands list — rather than a software bug. Audit TACACS+ permitted command regexes on Arista devices.
  • ·Affected device models confirmed include DCS-7050QX-32S-R (4.20.9M), DCS-7050CX3-32S-R (4.20.11M), and DCS-7280SRAM-48C6-R (4.22.0.1F); other Arista products may also be impacted.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.