Summary: Extreme Networks has issued security advisories regarding three critical vulnerabilities in its HiveOS (IQ Engine) product line, which could allow unauthorized access and execution of arbitrary commands. The vulnerabilities, identified by Lukas Schauer, could lead to severe system compromises for users of all HiveOS versions prior to 10.7r5. Users are urged to upgrade their systems and adopt security best practices to mitigate risks.
Affected: Extreme Networks HiveOS (IQ Engine)
Keypoints :
- CVE-2025-27229: Allows authenticated attackers to escalate privileges to root via an unsanitized SSH tunnel call.
- CVE-2025-27228: Enables authenticated attackers to decrypt user-level passwords using CLI functions.
- CVE-2025-27227: Lets authenticated attackers execute arbitrary commands through newline injection in Client-SSID settings.
- All versions prior to 10.7r5 are impacted; exploitation can lead to data theft and system disruption.
- Immediate upgrade to version 10.7r5 or later is strongly recommended.
Source: https://securityonline.info/extreme-networks-addresses-critical-security-vulnerabilities-in-hiveos/