cbcvebase.
CVE-2017-5255
published 2017-12-20

CVE-2017-5255: In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any…

PriorityP278high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
74.56%
99.4th percentile
In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any authenticated user (including the otherwise low-privilege readonly user) to inject shell meta-characters as part of a specially-crafted POST request to the get_chart function and run OS-level commands, effectively as root.

Affected

3 ranges
VendorProductVersion rangeFixed in
cambium_networksepmp
cambiumnetworksepmp_1000_firmware<= 3.5
cambiumnetworksepmp_2000_firmware<= 3.5

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/luci/;stok=<stok>/admin/get_chart
url/cgi-bin/luci
path/cgi-bin/luci
cookiesysauth
cookiestok_80=<value>
commandinject = '|' + "#{command}"
  • Alert on POST requests to '/cgi-bin/luci/;stok=<token>/admin/get_chart' from low-privilege accounts (installer, home) as this endpoint is the injection vector for CVE-2017-5255.
  • Monitor for use of default credentials admin/admin, installer/installer, or home/home against the ePMP1000 web management portal, as the exploit requires one of these credential pairs.
  • Detect the X-Requested-With: XMLHttpRequest header combined with POST to /cgi-bin/luci targeting ePMP devices, which is the authentication and exploitation pattern used by this module.
  • Flag ePMP firmware versions 3.1 through 3.5-RC7 as vulnerable; the exploit explicitly checks for this version range before proceeding.
  • Fingerprinting requests check for 'cambium.min.css' or 'cambiumnetworks.com' and 'https://support.cambiumnetworks.com/files/epmp/' in the HTTP response body; detect reconnaissance scanning for these strings.
  • ·The exploit module targets firmware versions 3.1 through 3.5-RC7 specifically; a separate module (epmp1000_ping_cmd_exec/shell) covers versions up to v2.5 via a different 'ping' injection vector.
  • ·The web management portal may run on a non-standard port; the default is 80 but defenders should scan all ports for the ePMP management interface.
  • ·The vulnerability is exploitable by any authenticated user including the low-privilege readonly user, not just admin accounts — access controls alone are insufficient mitigation.
  • ·The 'measure' POST parameter is also injectable in addition to 'timestamp', meaning detection rules must cover both parameters in POST requests to get_chart.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.