Extremenetworks: Security Vulnerabilities
A vulnerability in Extreme Networks’ Fabric Engine (VOSS) before 9.3 was discovered. When SD-WAN AutoSense is enabled on a port, it may automatically configure fabric connectivity without validating ISIS authentication settings. The SD-WAN AutoSense implementation may be exploited by malicious actors by allowing unauthorized access to network fabric and configuration data.
CVSS Score
8.4
EPSS Score
0.001
Published
2025-10-07
In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials captive-portal SSID configurations, repeated manual login attempts may allow an unauthenticated device to be marked as authenticated and obtain network access. Client360 logs may display the client MAC as the username despite no MAC-authentication being enabled.
CVSS Score
7.6
EPSS Score
0.001
Published
2025-10-01
In ExtremeControl before 25.5.12, a cross-site scripting (XSS) vulnerability was discovered in a login interface of the affected application. The issue stems from improper handling of user-supplied input within HTML attributes, allowing an attacker to inject script code that may execute in a user's browser under specific interaction conditions. Successful exploitation could lead to exposure of user data or unauthorized actions within the browser context.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-07-21
In ExtremeCloud Universal ZTNA, a syntax error in the 'searchKeyword' condition caused queries to bypass the owner_id filter. This issue may allow users to search data across the entire table instead of being restricted to their specific owner_id.
CVSS Score
5.2
EPSS Score
0.002
Published
2025-06-13
In XIQ-SE before 24.2.11, a server misconfiguration may allow user enumeration when specific conditions are met.
CVSS Score
5.3
EPSS Score
0.003
Published
2025-02-27
In XIQ-SE before 24.2.11, a low-privileged user may be able to access admin passwords, which could lead to privilege escalation.
CVSS Score
8.8
EPSS Score
0.002
Published
2025-02-27
In Extreme Networks XIQ-SE before 24.2.11, due to a missing access control check, a path traversal is possible, which may lead to privilege escalation.
CVSS Score
9.8
EPSS Score
0.005
Published
2025-02-27
Extreme Networks EXOS before v.22.7 and before v.30.2 was discovered to contain an issue in its Web GUI which fails to restrict URL access, allowing attackers to access sensitive information or escalate privileges.
CVSS Score
8.0
EPSS Score
0.002
Published
2024-05-14
In Extreme XOS through 22.6.1.4, a read-only user can escalate privileges to root via a crafted HTTP POST request to the python method of the Machine-to-Machine Interface (MMI).
CVSS Score
8.6
EPSS Score
0.003
Published
2024-05-03
Cross Site Request Forgery (CSRF) vulnerability in Chalet application in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, fixed in 31.7.2 and 32.5.1.5 allows attackers to run arbitrary code and cause other unspecified impacts via /jsonrpc API.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-10-16
Page 1