CVE-2017-5254
published 2017-12-20CVE-2017-5254: In version 3.5 and prior of Cambium Networks ePMP firmware, the non-administrative users 'installer' and 'home' have the capability of changing passwords for…
PriorityP270high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
53.70%
98.9th percentile
In version 3.5 and prior of Cambium Networks ePMP firmware, the non-administrative users 'installer' and 'home' have the capability of changing passwords for other accounts, including admin, after disabling a client-side protection mechanism.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cambium_networks | epmp | — | — |
| cambiumnetworks | epmp_1000_firmware | <= 3.5 | — |
| cambiumnetworks | epmp_2000_firmware | <= 3.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for password change requests originating from sessions authenticated as 'installer' or 'home' accounts targeting other user accounts (including 'admin') on Cambium ePMP device management portal. ↗
- →Detect exploitation attempts by looking for HTTP requests that modify account passwords from non-admin sessions (installer or home roles) after bypassing client-side protection mechanisms on ePMP firmware versions 3.0–3.5. ↗
- →Flag use of default credentials installer/installer or home/home against Cambium ePMP management interfaces, as these are the prerequisite credentials for this exploit. ↗
- ·The exploit requires a client-side protection mechanism to be disabled first; server-side enforcement is absent in affected versions, meaning purely network-level controls will not prevent exploitation once an attacker has non-admin credentials. ↗
- ·The Metasploit module targets firmware versions 3.0 through 3.5-RC7 specifically; devices outside this range may behave differently and detections should be scoped accordingly. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-12-20
Published