cbcvebase.
CVE-2015-9266
published 2018-09-05

CVE-2015-9266: The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and…

PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
74.00%
99.4th percentile
The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2.

Affected

12 ranges
VendorProductVersion rangeFixed in
ubntairos_4_xs2< 4.0.44.0.4
ubntairos_4_xs5< 4.0.44.0.4
ubntedgeswitch_xp_firmware< 1.3.21.3.2
uiaf5_firmware< 2.2.12.2.1
uiaf5x_firmware< 3.0.2.13.0.2.1
uiairfiber_af24_firmware< 2.2.12.2.1
uiairfiber_af24hd_firmware< 2.2.12.2.1
uiairgateway_firmware< 1.151.15
uiairmax_ac_firmware
uiairmax_m_ti_firmware< 5.6.25.6.2
uiairmax_m_xm_firmware< 5.6.25.6.2
uiairmax_m_xw_firmware< 5.6.25.6.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://192.168.1.20/login.cgi
path../../etc/dropbear/authorized_keys
path/etc/dropbear/authorized_keys
path/etc/persistent/rc.poststart
commandcurl -F "[email protected]/id_rsa.pub;filename=../../etc/dropbear/authorized_keys" -H "Expect:" 'https://192.168.1.20/login.cgi' -k
  • Detect unauthenticated multipart POST requests to /login.cgi containing directory traversal sequences (e.g., '../') in the Content-Disposition filename parameter.
  • Alert on HTTP POST requests to /login.cgi with a multipart filename field containing '../../etc/dropbear/authorized_keys' or '../../etc/passwd', indicating directory traversal file upload exploitation.
  • Flag presence of User-Agent 'Jakarta Commons-HttpClient/3.1' in requests to Ubiquiti device management interfaces, as this is the UA used in the documented exploit.
  • Monitor for unexpected modification of /etc/passwd, /etc/dropbear/authorized_keys, or /etc/persistent/rc.poststart on AirOS devices, which are the target files of this exploit and the 'mf' malware.
  • Correlate exploitation with subsequent unauthorized SSH root logins, as the attack chain uploads attacker-controlled public keys to /etc/dropbear/authorized_keys to enable root SSH access.
  • ·The exploit endpoint /login.cgi is accessible pre-authentication; no session or credentials are required to trigger the vulnerability, making network-level blocking of the management interface the primary mitigation.
  • ·All versions prior to the July 2015 fixes are affected across multiple product lines; patched versions are airMAX AC 7.1.3, airMAX M 5.6.2, airGateway 1.1.5, airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, AF5 2.2.1, airOS 4 XS2/XS5 4.0.4, and EdgeSwitch XP 1.3.2.
  • ·The 'mf' malware actively exploits this vulnerability in the wild to persist on devices via /etc/persistent/rc.poststart, indicating active exploitation beyond opportunistic scanning.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.