Cyber Resilience

CVE-2020-36907

HighPublic PoCDDoS

Published: 06 January 2026

Published
06 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-36907 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Ncsc (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2020-36907 is a denial of service vulnerability in Aerohive HiveOS, affecting the NetConfig UI component. Unauthenticated attackers can send a crafted HTTP request to the action.php5 script with specific parameters, rendering the web interface unusable for a 5-minute period. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact with no confidentiality or integrity effects.

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected device, requiring low attack complexity and no user interaction. Exploitation disrupts access to the web management interface for 5 minutes per request, potentially enabling repeated attacks to prolong downtime and impair administrative functions.

Advisories and related resources, including those from NCSC (https://advisories.ncsc.nl/2020/ncsc-2020-0367.html), Extreme Networks community announcements (https://community.extremenetworks.com/t5/iq-engine-hive-os-announcements/bg-p/IQ_Engine_Hive_OS_Announcements), IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/181649), PacketStorm (https://packetstorm.news/files/id/157587), and Exploit-DB (https://www.exploit-db.com/exploits/48441), provide further details on the issue, with public proof-of-concept exploits documented.

Public availability of exploits on platforms like Exploit-DB and PacketStorm indicates potential for real-world abuse against unpatched Aerohive HiveOS deployments. The CVE was published on 2026-01-06T16:15:46.327.

EU & UK References

Vulnerability details

Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute…

more

service disruption.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated crafted HTTP request to public web UI (action.php5) directly enables exploitation of a public-facing application resulting in application-layer DoS via resource exhaustion (CWE-770).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1059Shared CWE-770
CVE-2026-29181Shared CWE-770
CVE-2025-13929Shared CWE-770
CVE-2026-28461Shared CWE-770
CVE-2026-5439Shared CWE-770
CVE-2026-1102Shared CWE-770
CVE-2026-33034Shared CWE-770
CVE-2024-12705Shared CWE-770
CVE-2026-20103Shared CWE-770
CVE-2026-26061Shared CWE-770

Affected Assets

Ncsc
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections such as rate limiting and throttling to prevent unauthenticated crafted HTTP requests from exhausting resources and disrupting the NetConfig UI for 5 minutes.

prevent

Monitors and controls communications at system boundaries to enforce rate limiting and block repeated crafted requests to the action.php5 script from network-accessible unauthenticated attackers.

prevent

Validates and rejects specific crafted parameters in HTTP requests to the action.php5 script, mitigating the resource allocation trigger for the DoS vulnerability.

References