Vulnerabilities > CVE-2020-16152 - Inclusion of Functionality from Untrusted Control Sphere vulnerability in Extremenetworks Aerohive Netconfig 10.0R8A

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

extremenetworks

CWE-829

critical

NVD

Published: 2021-11-14

Updated: 2021-11-18

Summary

The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.

Vulnerable Configurations

Part	Description	Count
Hardware	Extremenetworks Extremenetworks Aerohive Netconfig * Extremenetworks Aerohive Netconfig 10.0R8A	3

Common Weakness Enumeration (CWE)

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

References

http://packetstormsecurity.com/files/164957/Aerohive-NetConfig-10.0r8a-Local-File-Inclusion-Remote-Code-Execution.html
https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2020-001