In this excerpt of a TrendAI Research Services vulnerability report, Jonathan Lein and Simon Humbert of the TrendAI Research team detail a recently patched command injection vulnerability in the Arista NG Firewall. This bug was originally discovered by Gereon Huppertz and reported through the TrendAI Zero Day Initiative (ZDI) program. Successful exploitation could result in arbitrary command execution under the security context of the root user. The following is a portion of their write-up covering CVE-2025-6798, with a few minimal modifications.
A command injection vulnerability has been reported in Arista NG Firewall. The vulnerability is due to improper validation of user data in the diagnostics component.
A remote, authenticated attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary command execution under the security context of the root user.
The Vulnerability
Arista NG Firewall is an open-source firewall appliance. It was originally developed under the name Untangle. Some features of Arista Firewall include spam blocking, bandwidth control, and IPS, etc. NG Firewall can be managed through a web user interface, or a JSON-RPC API using HTTP.
HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body
where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named “param” with value “1”, using the GET method might look like:
A corresponding HTTP request using the POST method might look like:
If there is more than one parameter/value pair, they are encoded as '&'-delimited name=value pairs:
var1=value1&var2=value2&var3=value3...
The component relevant to this report is the JSON-RPC endpoint. A JSON object has the following syntax:
• An object is enclosed in curly braces {}.
• An object consists of zero or more items delimited by a comma (",") character.
• An item consists of a key and a value. A key is delimited from its value by a colon (":") character.
• A key must be a string (enclosed in quotes).
• A value must be a valid type. Valid types include string, number, JSON object, array, Boolean, or null.
• An array is an object enclosed in square braces []. An array consists of zero or more string, number, JSON object, array, Boolean or null type-objects delimited by a comma (",") character.
An example JSON object is as follows:
The following is an example of a JSON-RPC request to the runTroubleshooting() method that is relevant to this report:
A command injection vulnerability has been reported in Arista NG Firewall. The vulnerability is due to improper validation of user data that is used in a command line. The runTroubleshooting() method of the class NetworkManagerImpl will be used to handle JSON-RPC requests to the runTroubleshooting method. The command parameter passed to the method will be the first element in the params JSON array in the body of the request. This value must be one of the strings in the TroubleshootingCommands enum defined in the NetworkManager class. The second parameter of the method will contain additional arguments passed to the JSON-RPC call.
The method will first iterate through each of the additional arguments and combine each key value pair into a single string, separated by a "=" character that will later be used as an environment variable. Next, a switch case statement is used to ensure the provided command is one of the values in TroubleshootingCommands. Each command value will be processed using the same code.
The method will next iterate through each environment variable, and inspect it for the following common command injection strings:
; & | > $(
If any are found, the request will be rejected, and an exception is thrown. If each environment variable is valid, the method execEvil() is called to create and execute a command line for the network-troubleshooting.sh script, with the environment variables passed as a parameter. The execEvil() method in turn will call Runtime.getRuntime().exec() to run the script, with the second parameter passing the environment variables that will be used by the script. Each command value will have a function in network-troubleshooting.sh, such as run_dns() for the “DNS” command value. Each function will follow a similar structure, by creating a CMD string using the environment variables passed by exec() and then calling eval to execute it.
However, the values of the parameters passed to the runTroubleshooting JSON-RPC method are not completely sanitized before it is used in the command line. While the parameters passed to the endpoint are inspected for some shell metacharacters, the list is incomplete. For example, the backtick character (`) is not included in the check and may be used to inject a command.
For example:
The example above will write and execute a python script on the server to achieve code execution without using any restricted characters.
A remote, authenticated attacker could exploit this vulnerability by sending a JSON-RPC request to the runTroubleshooting method containing a crafted “HOST” or “URL” parameter containing shell metacharacters not present in the runTroubleshooting() check. Successful exploitation in the worst case will result in arbitrary command execution under the security context of the root user.
Detection Guidance
To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on the following ports:
- HTTP, over port 80/TCP
- HTTPS, over port 443/TCP
Traffic to Arista NG Firewall may be encrypted and must be decrypted prior to applying this guidance.
The detection device must search for HTTP POST requests made to the request-URI /admin/JSON-RPC. If found, the body of the request must be parsed as JSON. The JSON object in the body must be inspected for a method key, and its value must be inspected to contain the substring runTroubleshooting. If found, the object must also be inspected for the JSON key "params", with a value containing a JSON array. The first entry in the JSON array must be inspected for any of the following strings:
If found, the second entry in the array must be inspected for a JSON object, and inspected for any of the following keys:
If either is found, the corresponding value to the key must be inspected for any of the following command injection characters:
If found, the traffic should be treated as suspicious; an attack exploiting this vulnerability is likely underway.
The following regular expression can be applied to find malicious requests:
/\x22(HOST|URL)\x22\s*:\s*\x22(?:[^\x22\\]|\\.)*?[\x60\x27\x24\x3c]/
Notes:
• String matching on the request-URI and all JSON strings should be done in a case sensitive manner.
• The JSON strings may be encoded and must be decoded prior to applying this guidance.
• The request-URI may be URL-encoded and must be decoded before applying this guidance.
Conclusion
This vulnerability has been addressed by Arista with their Security Advisory 0123. They note that the Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle) is affected by this bug, but other product versions are not. They also state the following mitigation can be applied:
Do not allow non-authorized administrative access or access to the administrative browser.
However, the more appropriate action is to apply the provided vendor security patch by upgrading to version 17.4 or higher.
Special thanks to Jonathan Lein and Simon Humbert of the TrendAI Research team for providing such a thorough analysis of this vulnerability. For an overview of TrendAI Research services, please visit https://go.trendmicro.com/tis/vulnerabilities.html.
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
