CVE-2025-8679 HIGH

CVE-2025-8679: ExtremeGuest Essentials Captive Portal Unauthenticated Brute Force

Vendor Extreme Networks
Product ExtremeGuest Essentials
Weakness CWE-307 · Brute force
Published October 1, 2025
Last update October 1, 2025

CVSS base score

7.6/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials captive-portal SSID configurations, repeated manual login attempts may allow an unauthenticated device to be marked as authenticated and obtain network access. Client360 logs may display the client MAC as the username despite no MAC-authentication being enabled.

Key dates

02Disclosure timeline

October 1, 2025 CVE published
October 1, 2025 Record updated