Brocade

By the Year

In 2026 there have been 13 vulnerabilities in Brocade. Last year, in 2025 Brocade had 3 security vulnerabilities published. That is, 10 more vulnerabilities have already been reported in 2026 as compared to last year.

Recent Brocade Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-0869	Mar 03, 2026	Brocade ASCG 3.4.0 Auth bypass via BSL config ops Authentication bypass in Brocade ASCG 3.4.0 Could allow an unauthorized user to perform ASCG operations related to Brocade Support Link(BSL) and streaming configuration. and could even disable the ASCG application or disable use of BSL data collection on Brocade switches within the fabric.
CVE-2025-58381	Feb 03, 2026	Brocade Fabric OS <9.2.1c2 PATH var modification via shell cmds A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structure or to traverse to different directories.	Fabric Os
CVE-2025-9711	Feb 03, 2026	Privilege Escalation in Brocade Fabric OS <9.2.1c3 via seccertmgmt Export A vulnerability in Brocade Fabric OS before 9.2.1c3 could allow elevating the privileges of the local authenticated user to root using the export option of seccertmgmt and seccryptocfg commands.	Fabric Os
CVE-2025-58380	Feb 03, 2026	Brocade Fabric OS <9.2.1: grep path traversal with admin A vulnerability in Brocade Fabric OS before 9.2.1 could allow an authenticated attacker with admin privileges using the shell command grep to modify the path variables and move upwards in the directory structure or to traverse to different directories.	Fabric Os
CVE-2026-0383	Feb 03, 2026	Local Auth Bash History Exposure in Brocade Fabric OS A vulnerability in Brocade Fabric OS could allow an authenticated, local attacker with privileges to access the Bash shell to access insecurely stored file contents including the history command.	Fabric Os
CVE-2025-58379	Feb 03, 2026	Brocade Fabric OS <=9.2.1 Local Auth Attacker Reveals Cmd Line Passwds Brocade Fabric OS before 9.2.1 has a vulnerability that could allow a local authenticated attacker to reveal command line passwords using commands that may expose higher privilege sensitive information by a lower privileged user.	Fabric Os
CVE-2025-58383	Feb 03, 2026	Brocade Fabric OS <9.2.1c2 Priv Esc via bind Command A vulnerability in Brocade Fabric OS versions before 9.2.1c2 could allow an administrator-level user to execute the bind command, to escalate privileges and bypass security controls allowing the execution of arbitrary commands.	Fabric Os
CVE-2025-58382	Feb 03, 2026	Brocade Fabric OS <9.2.1c2: Authenticated RCE via supportsave A vulnerability in the secure configuration of authentication and management services in Brocade Fabric OS before Fabric OS 9.2.1c2 could allow an authenticated, remote attacker with administrative credentials to execute arbitrary commands as root using supportsave, seccertmgmt, configupload command.	Fabric Os
CVE-2025-12774	Feb 03, 2026	Brocade SANnav <3.0 migration script SQL queries info disclosure A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. An attacker with access to Brocade SANnav supportsave file, could open the file and then obtain sensitive information such as details of database tables and encrypted passwords.
CVE-2025-12773	Feb 03, 2026	Brocade SANnav password logging in updatereportspurgesettings.sh <2.4.0a A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password.
CVE-2025-12772	Feb 02, 2026	Brocade SANnav <=2.4.0b Exposes Switch Admin Password via Logs (CVE-2025-12772) Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs. When OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password.
CVE-2025-12679	Feb 02, 2026	Brocade SANnav <2.4.0b: PBE Key Logged in System Audit A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the pbe key. Note: The vulnerability is only triggered during a migration and not in a new installation. The system audit logs are accessible only to a privileged user on the server. These audit logs are the local server VMs audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user.
CVE-2025-12680	Feb 02, 2026	Brocade SANnav <2.4.0b: Standby Logs Store DB Passwords in Clear Text Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password.
CVE-2025-4661	Jun 19, 2025	Brocade Fabric OS 9.1.0-9.2.2 Path Traversal Exposes Files A path transversal vulnerability in Brocade Fabric OS 9.1.0 through 9.2.2 could allow a local admin user to gain access to files outside the intended directory potentially leading to the disclosure of sensitive information. Note: Admin level privilege is required on the switch in order to exploit	Fabric Os
CVE-2025-1976	Apr 24, 2025	Brocade Fabric OS 9.1.0–9.1.1d6 Local Admin Arbitrary Code Exec Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6.	Fabric Os
CVE-2024-5462	Feb 15, 2025	Brocade Fabric OS <9.2 SNMP Passwords Exposed via SNMPv3 If Brocade Fabric OS before Fabric OS 9.2.0 configuration settings are not set to encrypt SNMP passwords, then the SNMP privsecret / authsecret fields can be exposed in plaintext. The plaintext passwords can be exposed in a configupload capture or a supportsave capture if encryption of passwords is not enabled. An attacker can use these passwords to fetch values of the supported OIDs via SNMPv3 queries. There are also a limited number of MIB objects that can be modified.	Fabric Os
CVE-2024-7517	Nov 21, 2024	Brocade Fabric OS Command Injection Vulnerability in Portcfg Command A command injection vulnerability in Brocade Fabric OS before 9.2.0c, and 9.2.1 through 9.2.1a on IP extension platforms could allow a local authenticated attacker to perform a privileged escalation via crafted use of the portcfg command. This specific exploitation is only possible on IP Extension platforms: Brocade 7810, Brocade 7840, Brocade 7850 and on Brocade X6 or X7 directors with an SX-6 Extension blade installed. The attacker must be logged into the switch via SSH or serial console to conduct the attack.	Fabric Os
CVE-2024-10403	Nov 21, 2024	Brocade Fabric OS SFTP/FTP Server Password Exposure in Core Dump Brocade Fabric OS versions before 8.2.3e2, versions 9.0.0 through 9.2.0c, and 9.2.1 through 9.2.1a can capture the SFTP/FTP server password used for a firmware download operation initiated by SANnav or through WebEM in a weblinker core dump that is later captured via supportsave.	Fabric Os
CVE-2024-29953	Jun 26, 2024	Brocade Fabric OS <=9.2.1: Session Password Disclosure A vulnerability in the web interface in Brocade Fabric OS before v9.2.1, v9.2.0b, and v9.1.1d prints encoded session passwords on session storage for Virtual Fabric platforms. This could allow an authenticated user to view other users' session encoded passwords.	Fabric Os
CVE-2024-5460	Jun 26, 2024	Auth Remote SNMP Read Hard-Coded Community String in Brocade Fabric OS <9.0.0 A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Brocade Fabric OS versions before v9.0.0 could allow an authenticated, remote attacker to read data from an affected device via SNMP. The vulnerability is due to hard-coded, default community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 1 queries to an affected device.	Fabric Os
CVE-2023-5973	Apr 05, 2024	Brocade Fabric OS v9.x Web UI Display Alteration via Reserved Characters Brocade Web Interface in Brocade Fabric OS v9.x and before v9.2.0 does not properly represent the portName to the user if the portName contains reserved characters. This could allow an authenticated user to alter the UI of the Brocade Switch and change ports display.	Fabric Os
CVE-2023-3454	Apr 04, 2024	Brocade Fabric OS RCE v9.0-9.1.9 Switch Remote code execution (RCE) vulnerability in Brocade Fabric OS after v9.0 and before v9.2.0 could allow an attacker to execute arbitrary code and use this to gain root access to the Brocade switch.	Fabric Os
CVE-2021-27795	Dec 06, 2023	Brocade FOS License Forgery CVE-2021-27795 Brocade Fabric OS (FOS) hardware platforms running any version of Brocade Fabric OS software, which supports the license string format; contain cryptographic issues that could allow for the installation of forged or fraudulent license keys. This would allow attackers or a malicious party to forge a counterfeit license key that the Brocade Fabric OS platform would authenticate and activate as if it were a legitimate license key.	Fabric Os
CVE-2023-4163	Aug 31, 2023	Brocade Fabric OS <9.2.0a Buffer Overflow via portcfgfportbuffers In Brocade Fabric OS before v9.2.0a, a local authenticated privileged user can trigger a buffer overflow condition, leading to a kernel panic with large input to buffers in the portcfgfportbuffers command.	Fabric Os
CVE-2023-4162	Aug 31, 2023	Segfault via passwdcfg in Brocade Fabric OS 9.0-9.2.0a CLI A segmentation fault can occur in Brocade Fabric OS after Brocade Fabric OS v9.0 and before Brocade Fabric OS v9.2.0a through the passwdcfg command. This could allow an authenticated privileged user local user to crash a Brocade Fabric OS swith using the cli passwdcfg --set -expire -minDiff.	Fabric Operating System Fabric Os
CVE-2023-3489	Aug 31, 2023	Brocade Fabric OS 9.2.0 firmwaredownload logs cleartext passwords The firmwaredownload command on Brocade Fabric OS v9.2.0 could log the FTP/SFTP/SCP server password in clear text in the SupportSave file when performing a downgrade from Fabric OS v9.2.0 to any earlier version of Fabric OS.	Fabric Os
CVE-2023-31927	Aug 02, 2023	Brocade Fabric OS <=9.1.1c Web UI Info Disclosure An information disclosure in the web interface of Brocade Fabric OS versions before Brocade Fabric OS v9.2.0 and v9.1.1c, could allow a remote unauthenticated attacker to get technical details about the web interface.	Fabric Os
CVE-2023-31431	Aug 02, 2023	Brocade Fabric OS v<9.2.0 Buffer Overflow diagstatus (DoS) A buffer overflow vulnerability in diagstatus command in Brocade Fabric OS before Brocade Fabric v9.2.0 and v9.1.1c could allow an authenticated user to crash the Brocade Fabric OS switch leading to a denial of service.	Fabric Os
CVE-2023-31430	Aug 02, 2023	Brocade FabricOS Secpolicydelete Buffer Overflow for Auth (pre 9.1.1c/9.2.0) A buffer overflow vulnerability in secpolicydelete command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0 could allow an authenticated privileged user to crash the Brocade Fabric OS switch leading to a denial of service.	Fabric Os
CVE-2023-31428	Aug 02, 2023	Brocade Fabric OS prev9.1.1c/v9.2.0: Local User Reads Home Dir via grep Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under user's home directory using grep.	Fabric Os
CVE-2023-31432	Aug 02, 2023	Brocade Fabric OS 9.1.1c: Priv Esc via portcfgupload & Config Through manipulation of passwords or other variables, using commands such as portcfgupload, configupload, license, myid, a non-privileged user could obtain root privileges in Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c and v9.2.0.	Fabric Os
CVE-2023-31425	Aug 01, 2023	Priv Escalation via fosexec in Brocade FoOS <9.1.1 A vulnerability in the fosexec command of Brocade Fabric OS after Brocade Fabric OS v9.1.0 and, before Brocade Fabric OS v9.1.1 could allow a local authenticated user to perform privilege escalation to root by breaking the rbash shell. Starting with Fabric OS v9.1.0, root account access is disabled.	Fabric Os
CVE-2023-31429	Aug 01, 2023	Brocade Fabric OS <=9.1.1c & 9.2.0 Output Leak via shell var interpolation Brocade Fabric OS before Brocade Fabric OS 9.1.1c, 9.2.0 contains a vulnerability when using various commands such as chassisdistribute, reboot, rasman, errmoduleshow, errfilterset, hassiscfgperrthreshold, supportshowcfgdisable and supportshowcfgenable commands that can cause the content of shell interpreted variables to be printed in the terminal.	Fabric Os
CVE-2022-33186	Dec 08, 2022	Broca FabricOS v9.x/v8.x/v7.x Remote Unauth Exec (Zoning/Port Disable) A vulnerability in Brocade Fabric OS software v9.1.1, v9.0.1e, v8.2.3c, v7.4.2j, and earlier versions could allow a remote unauthenticated attacker to execute on a Brocade Fabric OS switch commands capable of modifying zoning, disabling the switch, disabling ports, and modifying the switch IP address.	Fabric Operating System
CVE-2022-33185	Oct 25, 2022	Brocade Fabric OS <9.0.1e & <9.1.0 stack overflow (CVE-2022-33185) Several commands in Brocade Fabric OS before Brocade Fabric OS v.9.0.1e, and v9.1.0 use unsafe string functions to process user input. Authenticated local attackers could abuse these vulnerabilities to exploit stack-based buffer overflows, allowing arbitrary code execution as the root user account.	Fabric Os
CVE-2022-33184	Oct 25, 2022	Local Auth Root Exploit: Stack Buffer Overflow in Brocade Fabric OS <9.1.1 A vulnerability in fab_seg.c.h libraries of all Brocade Fabric OS versions before Brocade Fabric OS v9.1.1, v9.0.1e, v8.2.3c, v8.2.0_cbn5, 7.4.2j could allow local authenticated attackers to exploit stack-based buffer overflows and execute arbitrary code as the root user account.	Fabric Os
CVE-2022-33183	Oct 25, 2022	Brocade Fabric OS CLI Buffer Overflow <v9.1.0 A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, 7.4.2.j could allow a remote authenticated attacker to perform stack buffer overflow using in firmwaredownload and diagshow commands.	Fabric Os
CVE-2022-33181	Oct 25, 2022	Brocade Fabric OS CLI Local Info Disclosure via configshow & supportlink pre-9.1.0 An information disclosure vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, 7.4.2.j could allow a local authenticated attacker to read sensitive files using switch commands configshow and supportlink.	Fabric Os
CVE-2022-33180	Oct 25, 2022	Brocade Fabric OS CLI <= v9.1.0 Export Sensitive Files via seccryptocfg A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5 could allow a local authenticated attacker to export out sensitive files with seccryptocfg, configupload.	Fabric Os
CVE-2022-33179	Oct 25, 2022	Brocade Fabric OS CLI Local Auth Escalation Prior to v9.1.0 A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, and 7.4.2j could allow a local authenticated user to break out of restricted shells with set context and escalate privileges.	Fabric Os
CVE-2022-33178	Oct 25, 2022	Remote RCE via RADIUS in Brocade Fabric OS <9.0 A vulnerability in the radius authentication system of Brocade Fabric OS before Brocade Fabric OS 9.0 could allow a remote attacker to execute arbitrary code on the Brocade switch.	Fabric Os
CVE-2021-27798	Aug 05, 2022	Brocade Fabric OS 7.3.x/7.4.1b Directory Traversal (privileged) A vulnerability in Brocade Fabric OS versions 7.4.1b and 7.3.1d could allow local users to conduct privileged directory transversal. Brocade Fabric OS versions 7.4.1.x and 7.3.x have reached end of life. Brocade Fabric OS Users should upgrade to supported versions as described in the Product End-of-Life published report.	Fabric Os
CVE-2022-27774	Jun 02, 2022	An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.	Fabric Operating System
CVE-2022-27775	Jun 02, 2022	An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.	Fabric Operating System
CVE-2022-27776	Jun 02, 2022	A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.	Fabric Operating System
CVE-2022-22576	May 26, 2022	An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).	Fabric Operating System
CVE-2022-28161	May 09, 2022	An information exposure through log file vulnerability in Brocade SANNav versions before Brocade SANnav 2.2.0 could An information exposure through log file vulnerability in Brocade SANNav versions before Brocade SANnav 2.2.0 could allow an authenticated, local attacker to view sensitive information such as ssh passwords in filetansfer.log in debug mode. To exploit this vulnerability, the attacker would need to have valid user credentials and turn on debug mode.	Sannav
CVE-2021-22555	Jul 07, 2021	A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space	Fabric Operating System
CVE-2020-15376	Dec 11, 2020	Brocade Fabric OS versions before v9.0.0 and after version v8.1.0, configured in Virtual Fabric mode contain a weakness in the ldap implementation Brocade Fabric OS versions before v9.0.0 and after version v8.1.0, configured in Virtual Fabric mode contain a weakness in the ldap implementation that could allow a remote ldap user to login in the Brocade Fibre Channel SAN switch with "user" privileges if it is not associated with any groups.	Fabric Os
CVE-2020-15375	Dec 11, 2020	Brocade Fabric OS versions before v9.0.0 Brocade Fabric OS versions before v9.0.0, v8.2.2c, v8.2.1e, v8.1.2k, v8.2.0_CBN3, v7.4.2g contain an improper input validation weakness in the command line interface when secccrypptocfg is invoked. The vulnerability could allow a local authenticated user to run arbitrary commands and perform escalation of privileges.	Fabric Os