Extreme Networks Aerohive HiveOS <=11.x 11.x Unauthenticated Remote Denial of Service

Advisories

severity: high
date: January 5, 2026
Affecting: Aerohive HiveOS <= 11.x
CVE: CVE-2020-36907
CWE: CWE-770 Allocation of Resources Without Limits or Throttling
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-48441
Extreme Networks Product Homepage
HiveOS Product Announcements
Zero Science Lab Disclosure (ZSL-2020-5566)
NCSC Security Advisory
IBM X-Force Vulnerability Exchange
Packet Storm Security Exploit Entry
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute service disruption.