CVE-2020-36907
Published: 06 January 2026
Summary
CVE-2020-36907 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Ncsc (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2020-36907 is a denial of service vulnerability in Aerohive HiveOS, affecting the NetConfig UI component. Unauthenticated attackers can send a crafted HTTP request to the action.php5 script with specific parameters, rendering the web interface unusable for a 5-minute period. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact with no confidentiality or integrity effects.
The vulnerability can be exploited by any unauthenticated attacker with network access to the affected device, requiring low attack complexity and no user interaction. Exploitation disrupts access to the web management interface for 5 minutes per request, potentially enabling repeated attacks to prolong downtime and impair administrative functions.
Advisories and related resources, including those from NCSC (https://advisories.ncsc.nl/2020/ncsc-2020-0367.html), Extreme Networks community announcements (https://community.extremenetworks.com/t5/iq-engine-hive-os-announcements/bg-p/IQ_Engine_Hive_OS_Announcements), IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/181649), PacketStorm (https://packetstorm.news/files/id/157587), and Exploit-DB (https://www.exploit-db.com/exploits/48441), provide further details on the issue, with public proof-of-concept exploits documented.
Public availability of exploits on platforms like Exploit-DB and PacketStorm indicates potential for real-world abuse against unpatched Aerohive HiveOS deployments. The CVE was published on 2026-01-06T16:15:46.327.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1030
- 🇳🇱 NCSC-NL: advisories.ncsc.nl
Vulnerability details
Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute…
more
service disruption.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated crafted HTTP request to public web UI (action.php5) directly enables exploitation of a public-facing application resulting in application-layer DoS via resource exhaustion (CWE-770).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements denial-of-service protections such as rate limiting and throttling to prevent unauthenticated crafted HTTP requests from exhausting resources and disrupting the NetConfig UI for 5 minutes.
Monitors and controls communications at system boundaries to enforce rate limiting and block repeated crafted requests to the action.php5 script from network-accessible unauthenticated attackers.
Validates and rejects specific crafted parameters in HTTP requests to the action.php5 script, mitigating the resource allocation trigger for the DoS vulnerability.