ExtremenetworksCVEs & Vulnerabilities

29 CVEs affecting Extremenetworks products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

extremexos 115exos 5extreme management center 3xiq-se 3ap250 2ap30 2ap122 2ap150w 2
CVE-2025-11192HIGH

A vulnerability in Extreme Networks’ Fabric Engine (VOSS) before 9.3 was discovered. When SD-WAN AutoSense is enabled on a port, it may automatically configure fabric connectivity without validating ISIS authentication settings. The SD-WAN AutoSense implementation may be exploited by malicious actors by allowing unauthorized access to network fabric and configuration data.

7 Oct 2025
8.6
CVSS
CVE-2025-8679CRITICAL

In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials captive-portal SSID configurations, repeated manual login attempts may allow an unauthenticated device to be marked as authenticated and obtain network access. Client360 logs may display the client MAC as the username despite no MAC-authentication being enabled.

1 Oct 2025
9.8
CVSS
CVE-2025-6235MEDIUM

In ExtremeControl before 25.5.12, a cross-site scripting (XSS) vulnerability was discovered in a login interface of the affected application. The issue stems from improper handling of user-supplied input within HTML attributes, allowing an attacker to inject script code that may execute in a user's browser under specific interaction conditions. Successful exploitation could lead to exposure of user data or unauthorized actions within the browser context.

21 Jul 2025
6.1
CVSS
CVE-2025-6083MEDIUM

In ExtremeCloud Universal ZTNA, a syntax error in the 'searchKeyword' condition caused queries to bypass the owner_id filter. This issue may allow users to search data across the entire table instead of being restricted to their specific owner_id.

14 Jun 2025
4.3
CVSS
CVE-2024-38292CRITICAL

In Extreme Networks XIQ-SE before 24.2.11, due to a missing access control check, a path traversal is possible, which may lead to privilege escalation.

28 Feb 2025
9.8
CVSS
CVE-2024-38291HIGH

In XIQ-SE before 24.2.11, a low-privileged user may be able to access admin passwords, which could lead to privilege escalation.

28 Feb 2025
8.8
CVSS
CVE-2024-38290MEDIUM

In XIQ-SE before 24.2.11, a server misconfiguration may allow user enumeration when specific conditions are met.

28 Feb 2025
5.3
CVSS
CVE-2020-18305HIGH

Extreme Networks EXOS before v.22.7 and before v.30.2 was discovered to contain an issue in its Web GUI which fails to restrict URL access, allowing attackers to access sensitive information or escalate privileges.

14 May 2024
8.0
CVSS
CVE-2024-27453HIGH

In Extreme XOS through 22.6.1.4, a read-only user can escalate privileges to root via a crafted HTTP POST request to the python method of the Machine-to-Machine Interface (MMI).

3 May 2024
8.6
CVSS
CVE-2023-43121HIGH

A Directory Traversal vulnerability discovered in Chalet application in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, before 22.7, and before 31.7.2 allows attackers to read arbitrary files.

16 Oct 2023
7.5
CVSS
CVE-2023-43119CRITICAL

An Access Control issue discovered in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, also fixed in 22.7, 31.7.2 allows attackers to gain escalated privileges using crafted telnet commands via Redis server.

16 Oct 2023
9.8
CVSS
CVE-2023-43118HIGH

Cross Site Request Forgery (CSRF) vulnerability in Chalet application in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, fixed in 31.7.2 and 32.5.1.5 allows attackers to run arbitrary code and cause other unspecified impacts via /jsonrpc API.

16 Oct 2023
8.8
CVSS
CVE-2023-43120HIGH

An issue discovered in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, before 22.7 and before 31.7.1 allows attackers to gain escalated privileges via crafted HTTP request.

16 Oct 2023
8.8
CVSS
CVE-2023-35803CRITICAL

IQ Engine before 10.6r2 on Extreme Network AP devices has a Buffer Overflow.

5 Oct 2023
9.8
CVSS
CVE-2023-35802CRITICAL

IQ Engine before 10.6r1 on Extreme Network AP devices has a Buffer Overflow in the implementation of the CAPWAP protocol that may be exploited to obtain elevated privileges to conduct remote code execution. Access to the internal management interface/subnet is required to conduct the exploit.

15 Jul 2023
9.8
CVSS
CVE-2020-16152CRITICAL

The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.

15 Nov 2021
9.8
CVSS
CVE-2020-13819MEDIUM

Extreme EAC Appliance 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request.

5 Aug 2020
6.1
CVSS
CVE-2020-16847MEDIUM

Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.

5 Aug 2020
6.1
CVSS
CVE-2020-13820MEDIUM

Extreme Management Center 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request.

3 Aug 2020
6.1
CVSS
CVE-2018-5797HIGH

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is an Smint_encrypt Hardcoded AES Key that can be used for packet decryption (obtaining cleartext credentials) by an attacker who has access to a wired port.

5 Feb 2018
7.5
CVSS
CVE-2018-5787HIGH

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated Stack Overflow in the RIM (Radio Interface Module) process running on the WiNG Access Point via crafted packets.

5 Feb 2018
7.5
CVSS
CVE-2017-14332HIGH

Extreme EXOS 15.7, 16.x, 21.x, and 22.x allows remote attackers to hijack sessions by determining SessionID values.

23 Oct 2017
8.1
CVSS
CVE-2017-14331MEDIUM

Extreme EXOS 16.x, 21.x, and 22.x allows administrators to bypass the "exsh restricted shell" protection mechanism and obtain an interactive shell.

23 Oct 2017
6.7
CVSS
CVE-2017-14330MEDIUM

Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a root shell via vectors involving a privileged process.

23 Oct 2017
6.7
CVSS
CVE-2017-14329MEDIUM

Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a root shell via vectors involving an exsh debug shell.

23 Oct 2017
6.7
CVSS
CVE-2017-14328HIGH

Extreme EXOS 15.7, 16.x, 21.x, and 22.x allows remote attackers to trigger a buffer overflow leading to a reboot.

23 Oct 2017
7.5
CVSS
CVE-2017-14327MEDIUM

Extreme EXOS 16.x, 21.x, and 22.x allows administrators to read arbitrary files.

23 Oct 2017
4.4
CVSS
CVE-2013-7309MEDIUM

The OSPF implementation in Extreme Networks EXOS does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

23 Jan 2014
5.4
CVSS
CVE-2005-1670MEDIUM

Unknown vulnerability in Extreme BlackDiamond 10808 and 8800 switches running ExtremeWare XOS 11.1 before 11.1.3.3, 11.0 before 11.0.2.4, and 10.x allows remote authenticated users to execute arbitrary commands.

19 May 2005
4.6
CVSS
← PrevPage 1 / 1Next →