Directory Traversal in Gigamon GVOS H-VUE

Executive Summary

CVE-2026-36848 is a critical directory traversal vulnerability in Gigamon GVOS appliances version 5.16.1 and below, specifically in the legacy H-VUE subsystem.

The flaw exists in the persistd daemon's TornadoHTTP web service, which improperly handles user-supplied path parameters without proper validation.

This allows unauthenticated remote attackers with network access to read arbitrary files and perform partial write operations with root privileges by exploiting the DownloadDbFile and UploadDbFile handlers.

Attackers can bypass restrictions by URL-encoding path separators to escape the intended directory, leading to unauthorized file access and modification.

The vulnerability was removed in GVOS version 6, and users are advised to upgrade from affected versions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to remotely read sensitive files and partially overwrite files on the affected system with root privileges without authentication.

Such unauthorized access and modification can lead to data exposure, system compromise, and potential disruption of services.

Because the exploit requires only network access and no authentication, it poses a significant security risk to affected GVOS appliances.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability exists in Gigamon GVOS appliances running the legacy H-VUE subsystem on port 8089. Detection can focus on identifying systems running GVOS version 5.16.1 or below, especially those exposing port 8089.

One approach is to scan your network for devices with port 8089 open and check the GVOS version. Since the vulnerability involves path traversal via HTTP requests, you can attempt to detect it by sending crafted HTTP requests to the DownloadDbFile or UploadDbFile handlers to see if arbitrary file access is possible.

• Use network scanning tools (e.g., nmap) to identify hosts with port 8089 open: nmap -p 8089 <target-ip>
• Check the GVOS version on identified devices to confirm if it is 5.16.1 or below.
• Attempt to access files via HTTP requests exploiting path traversal, for example by URL-encoding path separators in requests to the DownloadDbFile handler.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade GVOS to a version that does not contain the vulnerable H-VUE subsystem. Specifically, upgrading to GVOS version 6 or later removes the vulnerable component entirely.

If upgrading immediately is not possible, restrict network access to port 8089 to trusted sources only, as the vulnerability requires network access to this port.

Since the vulnerability allows unauthenticated remote attackers to read and partially write files with root privileges, limiting exposure and applying network-level controls is critical until an upgrade can be performed.

Unsupported versions are strongly discouraged due to security risks, so planning for migration to supported releases is recommended.

Useful 0 Not Useful 0