CVE-2025-8679 | THREATINT

Description

In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials captive-portal SSID configurations, repeated manual login attempts may allow an unauthenticated device to be marked as authenticated and obtain network access. Client360 logs may display the client MAC as the username despite no MAC-authentication being enabled.

PUBLISHED Reserved 2025-08-06 | Published 2025-10-01 | Updated 2025-10-01 | Assigner ExtremeNetworks

HIGH: 7.6CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-307 Improper Restriction of Excessive Authentication Attempts

Product status

Default status

affected

25.4.0

affected

References

extreme-networks.my.site.com/ExtrArticleDetail?an=000130289

cve.org (CVE-2025-8679)

nvd.nist.gov (CVE-2025-8679)

Download JSON