CVE-2020-16152

CRITICAL

Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-16152. PoCs published by Nate0634034090, eriknl, Erik de Jong, Erik Wynter, including Metasploit module exploits/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.

AI-analyzed exploit summary This is a Metasploit module for CVE-2020-16152, targeting an authenticated RCE vulnerability in the WordPress Popular Posts plugin (<=5.3.2). It exploits improper input validation to upload a malicious PHP payload disguised as a GIF image, achieving remote code execution.

Description

The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.

Exploits (3)

nomisec WORKING POC 11 stars
by Nate0634034090 · poc
https://github.com/Nate0634034090/nate158g-m-w-n-l-p-d-a-o-e

This is a Metasploit module for CVE-2020-16152, targeting an authenticated RCE vulnerability in the WordPress Popular Posts plugin (<=5.3.2). It exploits improper input validation to upload a malicious PHP payload disguised as a GIF image, achieving remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: WordPress Popular Posts plugin <=5.3.2
Auth required
Prerequisites: Valid WordPress credentials · GD library enabled on the server · Metasploit with a public FQDN and open port (80/443/8080)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 11 stars
by eriknl · poc
https://github.com/eriknl/CVE-2020-16152

This PoC exploits a Local File Inclusion (LFI) vulnerability in Aerohive/Extreme Networks HiveOS via path truncation and log poisoning to achieve remote code execution (RCE) as root. The exploit leverages an outdated PHP version (5.2.17) to truncate the file path suffix and include arbitrary files.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Aerohive Networks / Extreme Networks HiveOS / IQ Engine (tested on 10.0r8a build-242466 and older)
No auth needed
Prerequisites: Network access to the vulnerable web interface · PHP version vulnerable to path truncation (e.g., PHP 5.2.17)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Erik de Jong, Erik Wynter · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.rb

This Metasploit module exploits CVE-2020-16152, combining LFI and log poisoning in Aerohive NetConfig to achieve unauthenticated RCE as root. It leverages PHP string truncation and log injection to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Aerohive NetConfig <= 10.0r8a
No auth needed
Prerequisites: Network access to target · PHP 5 with string truncation vulnerability
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.3505
EPSS Percentile 98.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-829
Status published
Products (2)
extremenetworks/aerohive_netconfig 10.0r8a (2 CPE variants)
extremenetworks/aerohive_netconfig < 10.0r8a
Published Nov 14, 2021
Tracked Since Feb 18, 2026