CVE-2025-11192 - Vulnerability Details - OpenCVE

A vulnerability in Extreme Networks’ Fabric Engine (VOSS) before 9.3 was discovered. When SD-WAN AutoSense is enabled on a port, it may automatically configure fabric connectivity without validating ISIS authentication settings. The SD-WAN AutoSense implementation may be exploited by malicious actors by allowing unauthorized access to network fabric and configuration data.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000130291

History

Tue, 07 Oct 2025 19:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in Extreme Networks’ Fabric Engine (VOSS) before 9.3 was discovered. When SD-WAN AutoSense is enabled on a port, it may automatically configure fabric connectivity without validating ISIS authentication settings. The SD-WAN AutoSense implementation may be exploited by malicious actors by allowing unauthorized access to network fabric and configuration data.
Title		Fabric Engine (VOSS) AutoSense Authentication Bypass
Weaknesses		CWE-287
References		https://extreme-networks.my.site.com/ExtrArticleDetail?an=000130291
Metrics		cvssV4_0 `{'score': 8.4, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: ExtremeNetworks

Published: 2025-10-07T19:07:45.086Z

Updated: 2025-10-07T19:07:45.086Z

Reserved: 2025-09-30T13:38:06.105Z

Link: CVE-2025-11192

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-10-07T19:15:33.863

Modified: 2025-10-07T19:15:33.863

Link: CVE-2025-11192

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-11192", "assignerOrgId": "1c053176-eef3-4d6a-ae0b-24728c86587b", "state": "PUBLISHED", "assignerShortName": "ExtremeNetworks", "dateReserved": "2025-09-30T13:38:06.105Z", "datePublished": "2025-10-07T19:07:45.086Z", "dateUpdated": "2025-10-07T19:07:45.086Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Fabric Engine (VOSS)", "vendor": "Extreme Networks", "versions": [{"changes": [{"at": "9.3", "status": "unaffected"}], "lessThanOrEqual": "<9.2", "status": "affected", "version": "9.2", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div><div>A vulnerability in Extreme Networks\u2019 Fabric Engine (VOSS) before 9.3 was discovered. When SD-WAN AutoSense is enabled on a port, it may automatically configure fabric connectivity without validating ISIS authentication settings. The SD-WAN AutoSense implementation may be exploited by malicious actors by allowing unauthorized access to network fabric and configuration data.</div></div></div><br>"}], "value": "A vulnerability in Extreme Networks\u2019 Fabric Engine (VOSS) before 9.3 was discovered. When SD-WAN AutoSense is enabled on a port, it may automatically configure fabric connectivity without validating ISIS authentication settings. The SD-WAN AutoSense implementation may be exploited by malicious actors by allowing unauthorized access to network fabric and configuration data."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "baseScore": 8.4, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1c053176-eef3-4d6a-ae0b-24728c86587b", "shortName": "ExtremeNetworks", "dateUpdated": "2025-10-07T19:07:45.086Z"}, "references": [{"url": "https://extreme-networks.my.site.com/ExtrArticleDetail?an=000130291"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Fixed in 9.3 or later.</span><br>"}], "value": "Fixed in 9.3 or later."}], "source": {"advisory": "SA-2025-115", "discovery": "USER"}, "title": "Fabric Engine (VOSS) AutoSense Authentication Bypass", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Extreme Networks\u2019 Fabric Engine (VOSS) before 9.3 was discovered. When SD-WAN AutoSense is enabled on a port, it may automatically configure fabric connectivity without validating ISIS authentication settings. The SD-WAN AutoSense implementation may be exploited by malicious actors by allowing unauthorized access to network fabric and configuration data."}], "id": "CVE-2025-11192", "lastModified": "2025-10-07T19:15:33.863", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "1c053176-eef3-4d6a-ae0b-24728c86587b", "type": "Secondary"}]}, "published": "2025-10-07T19:15:33.863", "references": [{"source": "1c053176-eef3-4d6a-ae0b-24728c86587b", "url": "https://extreme-networks.my.site.com/ExtrArticleDetail?an=000130291"}], "sourceIdentifier": "1c053176-eef3-4d6a-ae0b-24728c86587b", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "1c053176-eef3-4d6a-ae0b-24728c86587b", "type": "Secondary"}]}