Security vulnerabilities in AeroHive/Extreme Networks access points

During my work for the Mobile Communications Lab at Hochschule Bonn-Rhein-Sieg I found some rather severe security vulnerabilities in AeroHive/Extreme Networks WiFi access points. It all started with a few cheap used devices whose firmware I wanted to take a closer look at to make them more suitable for a few use cases I had in mind. While digging around I stumbled over multiple vulnerabilities, ranging from an authentication bypass to persistent control over the devices’ firmware.

In the end this resulted in four CVEs: a complete authentication bypass (CVE-2025-27227) and multiple ways of getting root access on the devices (CVE-2025-27229, CVE-2025-27230). The worst one was a bug in the webserver that let you run privileged configuration commands without any valid credentials at all. It was also possible to decrypt stored passwords (CVE-2025-27228), and even after a factory reset parts of the previous owner’s data could still be recovered.

Of course I reported everything to Extreme Networks before publishing, and most of the issues have been fixed by now. The full writeup with all the technical details can be found on our research group’s GitHub profile.