CVE-2023-5502 in EOS
Summary
by MITRE • 06/05/2026
On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability affects Arista EOS network operating systems where 802.1x authentication is configured on access or trunk ports while routing is enabled on the access VLAN of those ports. The flaw represents a critical security weakness that undermines the fundamental purpose of 802.1x authentication protocols designed to control network access based on identity verification. When routing is enabled on the access VLAN, the network device's behavior creates an unexpected pathway that allows unauthorized network access.
The technical implementation flaw stems from how Arista EOS handles packet forwarding when both 802.1x authentication and routing are active on the same VLAN. The system fails to properly enforce authentication checks when packets are routed between different network segments within the same VLAN, creating a bypass mechanism that malicious supplicants can exploit. This occurs because the authentication state machine does not consistently validate credentials across all packet processing paths, particularly when routing decisions are made within the same VLAN domain. The vulnerability is categorized under CWE-284 Access Control Flaws, specifically related to improper access control enforcement in network device implementations.
The operational impact of this vulnerability is severe as it allows attackers to bypass network access controls without proper authentication credentials. A malicious supplicant could establish network connectivity by exploiting this weakness, potentially gaining access to sensitive network resources that should only be available to authenticated users. This creates opportunities for man-in-the-middle attacks, network reconnaissance, and unauthorized data access within the protected network segments. The vulnerability affects network security posture significantly since it undermines the integrity of the 802.1x authentication framework, which is a cornerstone of network access control in enterprise environments.
Security professionals should implement immediate mitigations including disabling routing on VLANs where 802.1x authentication is required, or ensuring that 802.1x authentication is properly enforced across all packet processing paths. Network administrators should also consider implementing additional security controls such as port security measures, MAC address filtering, and monitoring for unusual network behavior. The mitigation strategy should align with ATT&CK framework tactic TA0006 Credential Access and TA0005 Defense Evasion, as this vulnerability enables adversaries to bypass authentication mechanisms and potentially evade network security controls. Organizations should also consider implementing network segmentation strategies to isolate critical network segments from potential attack vectors that could exploit this authentication bypass.