Scan free
HIGHCVE-2024-12830CVSS 8.1

CVE-2024-12830: RCE in Arista NG Firewall

Platform

other

Component

arista-ng-firewall

Fixed in

17.1.2

AI Confidence: highNVDEPSS 3.1%Reviewed: May 2026
View on NVD
Save

CVE-2024-12830 describes a Remote Code Execution (RCE) vulnerability affecting Arista NG Firewall versions 17.1.1–17.1.1. This vulnerability allows an attacker to execute arbitrary code on the system without authentication. The flaw resides in the implementation of the custom_handler method, stemming from insufficient validation of user-supplied file paths. A fix is available from Arista.

Impact and Attack Scenarios

Successful exploitation of CVE-2024-12830 allows an attacker to gain complete control over the affected Arista NG Firewall. This includes the ability to modify system configurations, steal sensitive data, and potentially pivot to other systems within the network. Given the lack of authentication required, the vulnerability presents a significant risk, particularly in environments with exposed management interfaces. The attacker executes code as the www-data user, which may have elevated privileges depending on the firewall’s configuration. This vulnerability shares similarities with other directory traversal vulnerabilities where improper path sanitization leads to arbitrary code execution.

Exploitation Context

CVE-2024-12830 was disclosed on December 20, 2024. It is tracked by ZDI-CAN-24019. The vulnerability's ease of exploitation (no authentication required) and potential impact suggest a medium probability of exploitation. Public proof-of-concept code is not yet widely available, but the vulnerability's nature makes it likely that such code will emerge. Monitor CISA and Arista advisories for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

3.10% (87% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentarista-ng-firewall
VendorArista
Affected rangeFixed in
17.1.1 – 17.1.117.1.2

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. EPSS updated
Unpatched — 520 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2024-12830 is to upgrade to a patched version of Arista NG Firewall as soon as possible. Until an upgrade is feasible, consider implementing strict network segmentation to limit external access to the firewall’s management interface. Web Application Firewall (WAF) rules can be configured to block requests containing suspicious file paths or directory traversal sequences. Monitor firewall logs for unusual activity, particularly requests targeting the customhandler endpoint. After upgrading, verify the fix by attempting to access the customhandler endpoint with a crafted path designed to trigger the vulnerability; it should be rejected.

How to fix

Actualizar Arista NG Firewall a una versión posterior a la 17.1.1 que corrija la vulnerabilidad de directory traversal en el método custom_handler. Consultar el sitio web del proveedor para obtener la última versión y las instrucciones de actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-12830 — RCE in Arista NG Firewall?

CVE-2024-12830 is a Remote Code Execution vulnerability in Arista NG Firewall versions 17.1.1–17.1.1, allowing attackers to execute code without authentication due to a flaw in the custom_handler method.

Am I affected by CVE-2024-12830 in Arista NG Firewall?

If you are running Arista NG Firewall version 17.1.1–17.1.1, you are potentially affected by this vulnerability. Check your firewall version and apply the recommended patch.

How do I fix CVE-2024-12830 in Arista NG Firewall?

Upgrade to a patched version of Arista NG Firewall as soon as possible. Consult the official Arista advisory for specific upgrade instructions.

Is CVE-2024-12830 being actively exploited?

While no active exploitation has been publicly confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation. Monitor security advisories and implement mitigations proactively.

Where can I find the official Arista advisory for CVE-2024-12830?

Refer to the official Arista Networks security advisory for detailed information and mitigation steps: [https://www.arista.com/en/support/security/advisories/cve-2024-12830](https://www.arista.com/en/support/security/advisories/cve-2024-12830)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs