CVE-2020-36907
Unknown Unknown - Not Provided
Denial of Service in Aerohive HiveOS NetConfig UI

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: VulnCheck

Description
Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute service disruption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36907
EUVD
EUVD-2026-1030
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
extreme_networks aerohive_hiveos to 11.x (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-36907 is a remote denial of service (DoS) vulnerability in Extreme Networks Aerohive HiveOS versions up to and including 11.x. It affects the NetConfig web user interface, specifically the action.php5 script. An unauthenticated attacker can send a specially crafted HTTP request with specific parameters to this script, triggering the CliWindow function via the _page parameter. This causes the web interface to become unresponsive for approximately 5 minutes (305 seconds), effectively denying access to the HiveOS management UI. The attack requires no authentication or user interaction and can be executed remotely over the network. [1, 3, 4]

Impact Analysis

This vulnerability can impact you by causing a denial of service on the Aerohive HiveOS web management interface. An attacker can remotely and without authentication make the web UI unusable for about 5 minutes per attack, disrupting your ability to manage and configure Aerohive access points and their network settings. This could lead to operational downtime or delays in network management tasks, potentially affecting network availability and administrative control. [1, 3, 4]

Detection Guidance

This vulnerability can be detected by sending a crafted HTTP request to the vulnerable Aerohive HiveOS device targeting the action.php5 script with specific parameters, particularly using the _page parameter invoking the CliWindow function. A simple curl command can be used to test this, for example: curl -X GET 'http://<target-ip>/action.php5?_page=CliWindow'. If the web interface becomes unresponsive for about 5 minutes, the system is vulnerable. [1, 4]

Mitigation Strategies

The immediate mitigation step is to disable the HiveOS web server UI by executing the CLI command: no system web-server hive-ui enable. This will prevent the web interface from being accessible and thus block the attack vector until a proper patch or update is applied. [1, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36907. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart