Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for ExtremeCloud IQ - Site Engine by Extreme Networks

    CVE-2026-0689 (GCVE-0-2026-0689)

    Vulnerability from nvd – Published: 2026-03-02 15:16 – Updated: 2026-03-02 19:17
    VLAI
    Title
    XIQ‑SE NAC Admin Credential Exposure via HTTP Response
    Summary
    In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    Extreme Networks ExtremeCloud IQ - Site Engine Affected: 25.5.12.6 , ≤ <=25.12.11 (custom)
    Create a notification for this product.
    Date Public
    2026-03-02 14:07
    Credits
    Lockheed Martin Red Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0689",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-02T19:17:27.896047Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-02T19:17:37.551Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ExtremeCloud IQ - Site Engine",
              "vendor": "Extreme Networks",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "26.02.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "\u003c=25.12.11",
                  "status": "affected",
                  "version": "25.5.12.6",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "NAC administrator privlege required.\u0026nbsp;"
                }
              ],
              "value": "NAC administrator privlege required."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lockheed Martin Red Team"
            }
          ],
          "datePublic": "2026-03-02T14:07:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgba(206, 206, 217, 0.004);\"\u003eIn ExtremeCloud IQ \u2013 Site Engine (XIQ\u2011SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access.\n\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\nWe would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.\u003c/span\u003e"
                }
              ],
              "value": "In ExtremeCloud IQ \u2013 Site Engine (XIQ\u2011SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access.\n\n\n\n\nWe would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-02T16:38:23.688Z",
            "orgId": "1c053176-eef3-4d6a-ae0b-24728c86587b",
            "shortName": "ExtremeNetworks"
          },
          "references": [
            {
              "url": "https://extreme-networks.my.site.com/ExtrArticleDetail?an=000134325"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgba(206, 206, 217, 0.02);\"\u003eFixed in 26.2.10 or later.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Fixed in 26.2.10 or later."
            }
          ],
          "source": {
            "advisory": "SA-2026-020",
            "discovery": "UNKNOWN"
          },
          "title": "XIQ\u2011SE NAC Admin Credential Exposure via HTTP Response",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1c053176-eef3-4d6a-ae0b-24728c86587b",
        "assignerShortName": "ExtremeNetworks",
        "cveId": "CVE-2026-0689",
        "datePublished": "2026-03-02T15:16:44.054Z",
        "dateReserved": "2026-01-07T20:12:47.064Z",
        "dateUpdated": "2026-03-02T19:17:37.551Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0689 (GCVE-0-2026-0689)

    Vulnerability from cvelistv5 – Published: 2026-03-02 15:16 – Updated: 2026-03-02 19:17
    VLAI
    Title
    XIQ‑SE NAC Admin Credential Exposure via HTTP Response
    Summary
    In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    Extreme Networks ExtremeCloud IQ - Site Engine Affected: 25.5.12.6 , ≤ <=25.12.11 (custom)
    Create a notification for this product.
    Date Public
    2026-03-02 14:07
    Credits
    Lockheed Martin Red Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0689",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-02T19:17:27.896047Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-02T19:17:37.551Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ExtremeCloud IQ - Site Engine",
              "vendor": "Extreme Networks",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "26.02.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "\u003c=25.12.11",
                  "status": "affected",
                  "version": "25.5.12.6",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "NAC administrator privlege required.\u0026nbsp;"
                }
              ],
              "value": "NAC administrator privlege required."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lockheed Martin Red Team"
            }
          ],
          "datePublic": "2026-03-02T14:07:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgba(206, 206, 217, 0.004);\"\u003eIn ExtremeCloud IQ \u2013 Site Engine (XIQ\u2011SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access.\n\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\nWe would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.\u003c/span\u003e"
                }
              ],
              "value": "In ExtremeCloud IQ \u2013 Site Engine (XIQ\u2011SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access.\n\n\n\n\nWe would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-02T16:38:23.688Z",
            "orgId": "1c053176-eef3-4d6a-ae0b-24728c86587b",
            "shortName": "ExtremeNetworks"
          },
          "references": [
            {
              "url": "https://extreme-networks.my.site.com/ExtrArticleDetail?an=000134325"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgba(206, 206, 217, 0.02);\"\u003eFixed in 26.2.10 or later.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Fixed in 26.2.10 or later."
            }
          ],
          "source": {
            "advisory": "SA-2026-020",
            "discovery": "UNKNOWN"
          },
          "title": "XIQ\u2011SE NAC Admin Credential Exposure via HTTP Response",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1c053176-eef3-4d6a-ae0b-24728c86587b",
        "assignerShortName": "ExtremeNetworks",
        "cveId": "CVE-2026-0689",
        "datePublished": "2026-03-02T15:16:44.054Z",
        "dateReserved": "2026-01-07T20:12:47.064Z",
        "dateUpdated": "2026-03-02T19:17:37.551Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }