CVE-2025-6978: Arbitrary Code Execution in the Arista NG Firewall

A command injection vulnerability in Arista NG Firewall, reported by TrendAI Research, allows arbitrary command execution. This vulnerability, tracked as CVE-2025-6798, stems from inadequate validation within the diagnostics component. Attackers can exploit this via crafted requests to the JSON-RPC interface, specifically the runTroubleshooting method. User-supplied data within parameters like "HOST" or "URL" isn't fully sanitized, allowing for the injection of malicious commands. The backtick character is an example of an unsafe character that can be used to inject commands. Successful exploitation grants attackers root privileges on the compromised system. Detection involves monitoring HTTP/HTTPS traffic for malicious JSON-RPC requests. The provided detection guidance details specific checks within request bodies using regular expressions. The vulnerability lies in the runTroubleshooting command's handling of user input within the NetworkManagerImpl class. Arista has addressed the issue in version 17.4 or higher. The report emphasizes the importance of applying the vendor's security patch. This thorough analysis was conducted by Jonathan Lein and Simon Humbert from the TrendAI Research team.