Rapid7 Vulnerability & Exploit Database

Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE

Back to Search

Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE



This module exploits LFI and log poisoning vulnerabilities (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user. NetConfig is the Aerohive/Extreme Networks HiveOS administrative webinterface. Vulnerable versions allow for LFI because they rely on a version of PHP 5 that is vulnerable to string truncation attacks. This module leverages this issue in conjunction with log poisoning to gain RCE as root. Upon successful exploitation, the Aerohive NetConfig application may hang for as long as the spawned shell remains open. For the Linux target, the MeterpreterTryToFork option (enabled by default) will likely prevent this. If the app hangs, closing the session should render it responsive again. The module provides an automatic cleanup option to clean the log. However, this option is disabled by default because any modifications to the /tmp/messages log, even via sed, may render the target (temporarily) unexploitable. This state can last over an hour. This module has been successfully tested against Aerohive NetConfig versions 8.2r4 and 10.0r7a.


  • Erik de Jong
  • Erik Wynter




armle, cmd


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/unix/webapp/aerohive_netconfig_lfi_log_poison_rce
msf exploit(aerohive_netconfig_lfi_log_poison_rce) > show targets
msf exploit(aerohive_netconfig_lfi_log_poison_rce) > set TARGET < target-id >
msf exploit(aerohive_netconfig_lfi_log_poison_rce) > show options
    ...show and set options...
msf exploit(aerohive_netconfig_lfi_log_poison_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security