netsweeper CVE Vulnerabilities & Metrics

Focus on netsweeper vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About netsweeper Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with netsweeper. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total netsweeper CVEs: 16
Earliest CVE date: 09 Jul 2012, 18:55 UTC
Latest CVE date: 19 May 2020, 20:15 UTC

Latest CVE reference: CVE-2020-13167

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical netsweeper CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 6.32

Max CVSS: 10.0

Critical CVEs (≥9): 2

CVSS Range vs. Count

Range	Count
0.0-3.9	0
4.0-6.9	11
7.0-8.9	6
9.0-10.0	2

CVSS Distribution Chart

Top 5 Highest CVSS netsweeper CVEs

These are the five CVEs with the highest CVSS scores for netsweeper, sorted by severity first and recency.

CVE-2012-3859 netsweeper Published on 09 Jul 2012, 18:55 UTC (CVSS: 10.0)
Unspecified vulnerability in the WebAdmin Portal in Netsweeper has unknown impact and attack vectors, a different vulnerability than CVE-2012-2446 and CVE-2012-2447.
CVE-2014-9605 netsweeper Published on 04 Sep 2015, 15:59 UTC (CVSS: 9.4)
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webupgrade/webupgrade.php. NOTE: this was originally reported as an SQL injection vulnerability, but ...
CVE-2020-13167 netsweeper Published on 19 May 2020, 20:15 UTC (CVSS: 7.5)
Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
CVE-2014-9614 netsweeper Published on 19 Feb 2020, 20:15 UTC (CVSS: 7.5)
The Web Panel in Netsweeper before 4.0.5 has a default password of branding for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/.
CVE-2014-9613 netsweeper Published on 19 Feb 2020, 20:15 UTC (CVSS: 7.5)
Multiple SQL injection vulnerabilities in Netsweeper before 2.6.29.10 allow remote attackers to execute arbitrary SQL commands via the (1) login parameter to webadmin/auth/verification.php or (2) dpid parameter to webadmin/deny/index.php.

All CVEs for netsweeper

CVE-2020-13167 netsweeper vulnerability CVSS: 7.5 19 May 2020, 20:15 UTC

Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.

CVE-2014-9617 netsweeper vulnerability CVSS: 5.8 19 Feb 2020, 21:15 UTC

Open redirect vulnerability in remotereporter/load_logfiles.php in Netsweeper before 4.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.

CVE-2014-9615 netsweeper vulnerability CVSS: 4.3 19 Feb 2020, 20:15 UTC

Cross-site scripting (XSS) vulnerability in Netsweeper 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter to webadmin/deny/index.php.

CVE-2014-9614 netsweeper vulnerability CVSS: 7.5 19 Feb 2020, 20:15 UTC

The Web Panel in Netsweeper before 4.0.5 has a default password of branding for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/.

CVE-2014-9613 netsweeper vulnerability CVSS: 7.5 19 Feb 2020, 20:15 UTC

Multiple SQL injection vulnerabilities in Netsweeper before 2.6.29.10 allow remote attackers to execute arbitrary SQL commands via the (1) login parameter to webadmin/auth/verification.php or (2) dpid parameter to webadmin/deny/index.php.

CVE-2014-9612 netsweeper vulnerability CVSS: 7.5 19 Feb 2020, 20:15 UTC

SQL injection vulnerability in remotereporter/load_logfiles.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to execute arbitrary SQL commands via the server parameter.

CVE-2014-9609 netsweeper vulnerability CVSS: 5.0 19 Feb 2020, 20:15 UTC

Directory traversal vulnerability in webadmin/reporter/view_server_log.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to list directory contents via a .. (dot dot) in the log parameter in a stats action.

CVE-2014-9608 netsweeper vulnerability CVSS: 4.3 19 Feb 2020, 20:15 UTC

Cross-site scripting (XSS) vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

CVE-2014-9607 netsweeper vulnerability CVSS: 4.3 19 Feb 2020, 20:15 UTC

Cross-site scripting (XSS) vulnerability in remotereporter/load_logfiles.php in Netsweeper 4.0.3 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter.

CVE-2014-9606 netsweeper vulnerability CVSS: 4.3 19 Feb 2020, 20:15 UTC

Multiple cross-site scripting (XSS) vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/.

CVE-2014-9619 netsweeper vulnerability CVSS: 6.5 19 Sep 2017, 15:29 UTC

Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/ajaxfilemanager.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote authenticated users with admin privileges on the Cloud Manager web console to execute arbitrary PHP code by uploading a file with a double extension, then accessing it via a direct request to the file in webadmin/deny/images/, as demonstrated by secuid0.php.gif.

CVE-2014-9618 netsweeper vulnerability CVSS: 7.5 19 Sep 2017, 15:29 UTC

The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and subsequently create arbitrary profiles via a showdeny action to the default URL.

CVE-2014-9616 netsweeper vulnerability CVSS: 5.0 19 Sep 2017, 15:29 UTC

Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to obtain sensitive information by making a request that redirects to the deny page.

CVE-2014-9611 netsweeper vulnerability CVSS: 7.5 19 Sep 2017, 15:29 UTC

Netsweeper before 4.0.5 allows remote attackers to bypass authentication and create arbitrary accounts and policies via a request to webadmin/nslam/index.php.

CVE-2014-9610 netsweeper vulnerability CVSS: 5.0 19 Sep 2017, 15:29 UTC

Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and remove IP addresses from the quarantine via the ip parameter to webadmin/user/quarantine_disable.php.

CVE-2014-9605 netsweeper vulnerability CVSS: 9.4 04 Sep 2015, 15:59 UTC

WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webupgrade/webupgrade.php. NOTE: this was originally reported as an SQL injection vulnerability, but this may be inaccurate.

CVE-2012-3859 netsweeper vulnerability CVSS: 10.0 09 Jul 2012, 18:55 UTC

Unspecified vulnerability in the WebAdmin Portal in Netsweeper has unknown impact and attack vectors, a different vulnerability than CVE-2012-2446 and CVE-2012-2447.

CVE-2012-2447 netsweeper vulnerability CVSS: 6.8 09 Jul 2012, 18:55 UTC

Cross-site request forgery (CSRF) vulnerability in accountmgr/adminupdate.php in the WebAdmin Portal in Netsweeper allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts via an add action.

CVE-2012-2446 netsweeper vulnerability CVSS: 4.3 09 Jul 2012, 18:55 UTC

Cross-site scripting (XSS) vulnerability in tools/local_lookup.php in the WebAdmin Portal in Netsweeper allows remote attackers to inject arbitrary web script or HTML via the group parameter in a lookup action.