CVE-2020-36907
Published: 06 January 2026
Summary
CVE-2020-36907 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Ncsc (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 25.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements denial-of-service protections such as rate limiting and throttling to prevent unauthenticated crafted HTTP requests from exhausting resources and disrupting the NetConfig UI for 5 minutes.
Monitors and controls communications at system boundaries to enforce rate limiting and block repeated crafted requests to the action.php5 script from network-accessible unauthenticated attackers.
Validates and rejects specific crafted parameters in HTTP requests to the action.php5 script, mitigating the resource allocation trigger for the DoS vulnerability.
NVD Description
Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute…
more
service disruption.
Deeper analysisAI
CVE-2020-36907 is a denial of service vulnerability in Aerohive HiveOS, affecting the NetConfig UI component. Unauthenticated attackers can send a crafted HTTP request to the action.php5 script with specific parameters, rendering the web interface unusable for a 5-minute period. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact with no confidentiality or integrity effects.
The vulnerability can be exploited by any unauthenticated attacker with network access to the affected device, requiring low attack complexity and no user interaction. Exploitation disrupts access to the web management interface for 5 minutes per request, potentially enabling repeated attacks to prolong downtime and impair administrative functions.
Advisories and related resources, including those from NCSC (https://advisories.ncsc.nl/2020/ncsc-2020-0367.html), Extreme Networks community announcements (https://community.extremenetworks.com/t5/iq-engine-hive-os-announcements/bg-p/IQ_Engine_Hive_OS_Announcements), IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/181649), PacketStorm (https://packetstorm.news/files/id/157587), and Exploit-DB (https://www.exploit-db.com/exploits/48441), provide further details on the issue, with public proof-of-concept exploits documented.
Public availability of exploits on platforms like Exploit-DB and PacketStorm indicates potential for real-world abuse against unpatched Aerohive HiveOS deployments. The CVE was published on 2026-01-06T16:15:46.327.
Details
- CWE(s)