Broadcom: >> Fabric Operating System >> 9.1.1 Security Vulnerabilities
CVE-2025-1976
Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6.
Known exploited
CVSS Score
6.7
EPSS Score
0.017
Published
2025-04-24
Brocade Fabric OS versions before
8.2.3e2, versions 9.0.0 through 9.2.0c, and 9.2.1 through 9.2.1a can
capture the SFTP/FTP server password used for a firmware download
operation initiated by SANnav or through WebEM in a weblinker core dump
that is later captured via supportsave.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-11-21
A vulnerability in Brocade Fabric OS versions before 9.2.2 could allow man-in-the-middle attackers to conduct remote Service Session Hijacking that may arise from the attacker's ability to forge an SSH key while the Brocade Fabric OS Switch is performing various remote operations initiated by a switch admin.
CVSS Score
7.1
EPSS Score
0.0
Published
2024-11-12
A vulnerability in the web interface in Brocade Fabric OS before v9.2.1, v9.2.0b, and v9.1.1d prints encoded session passwords on session storage for Virtual Fabric platforms.
This could allow an authenticated user to view other users' session encoded passwords.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-06-26
A vulnerability in a password management API in Brocade Fabric OS versions before v9.2.1, v9.2.0b, v9.1.1d, and v8.2.3e prints sensitive information in log files. This could allow an authenticated user to view the server passwords for protocols such as scp and sftp.
Detail.
When the firmwaredownload command is incorrectly entered or points to an erroneous file, the firmware download log captures the failed command, including any password entered in the command line.
CVSS Score
5.9
EPSS Score
0.0
Published
2024-06-26
Brocade
Web Interface in Brocade Fabric OS v9.x and before v9.2.0 does not
properly represent the portName to the user if the portName contains
reserved characters. This could allow an authenticated user to alter the
UI of the Brocade Switch and change ports display.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-04-05
Remote code execution (RCE) vulnerability in Brocade Fabric OS after v9.0 and before v9.2.0 could allow an attacker to execute arbitrary code and use this to gain root access to the Brocade switch.
CVSS Score
8.6
EPSS Score
0.021
Published
2024-04-04
Brocade Fabric OS (FOS) hardware
platforms running any version of Brocade Fabric OS software, which
supports the license string format; contain cryptographic
issues that could allow for the installation of forged or fraudulent
license keys. This would allow attackers or a malicious party to forge a
counterfeit license key that the Brocade Fabric OS platform would
authenticate and activate as if it were a legitimate license key.
CVSS Score
6.4
EPSS Score
0.0
Published
2023-12-06
In
Brocade Fabric OS before v9.2.0a, a local authenticated privileged user
can trigger a buffer overflow condition, leading to a kernel panic with
large input to buffers in the portcfgfportbuffers command.
CVSS Score
4.4
EPSS Score
0.0
Published
2023-08-31
Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c, and v9.2.0 Could allow an authenticated, local user with knowledge of full path names inside Brocade Fabric OS to execute any command regardless of assigned privilege. Starting with Fabric OS v9.1.0, “root” account access is disabled.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-08-01
Page 1