CVE-2017-5255
published 2017-12-20CVE-2017-5255: In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any…
PriorityP278high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
74.56%
99.4th percentile
In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any authenticated user (including the otherwise low-privilege readonly user) to inject shell meta-characters as part of a specially-crafted POST request to the get_chart function and run OS-level commands, effectively as root.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cambium_networks | epmp | — | — |
| cambiumnetworks | epmp_1000_firmware | <= 3.5 | — |
| cambiumnetworks | epmp_2000_firmware | <= 3.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on POST requests to '/cgi-bin/luci/;stok=<token>/admin/get_chart' from low-privilege accounts (installer, home) as this endpoint is the injection vector for CVE-2017-5255. ↗
- →Monitor for use of default credentials admin/admin, installer/installer, or home/home against the ePMP1000 web management portal, as the exploit requires one of these credential pairs. ↗
- →Detect the X-Requested-With: XMLHttpRequest header combined with POST to /cgi-bin/luci targeting ePMP devices, which is the authentication and exploitation pattern used by this module. ↗
- →Flag ePMP firmware versions 3.1 through 3.5-RC7 as vulnerable; the exploit explicitly checks for this version range before proceeding. ↗
- →Fingerprinting requests check for 'cambium.min.css' or 'cambiumnetworks.com' and 'https://support.cambiumnetworks.com/files/epmp/' in the HTTP response body; detect reconnaissance scanning for these strings. ↗
- ·The exploit module targets firmware versions 3.1 through 3.5-RC7 specifically; a separate module (epmp1000_ping_cmd_exec/shell) covers versions up to v2.5 via a different 'ping' injection vector. ↗
- ·The web management portal may run on a non-standard port; the default is 80 but defenders should scan all ports for the ePMP management interface. ↗
- ·The vulnerability is exploitable by any authenticated user including the low-privilege readonly user, not just admin accounts — access controls alone are insufficient mitigation. ↗
- ·The 'measure' POST parameter is also injectable in addition to 'timestamp', meaning detection rules must cover both parameters in POST requests to get_chart. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)
exploitdb·2018-01-01
CVE-2017-5255 Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)
Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Cambium ePMP1000 'get_chart' Shell via Command Injection (v3.1-3.5-RC7)",
'Description' => %{
This module exploits an OS Command Injection vulnerability in Cambium
ePMP1000 device management portal. It requires any one of the following login
credentials - admin/admin, installer/installer, home/home - to set up a reverse
netcat shell. The module has been tested on versions 3.1-3.5-RC7.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Karn Ganeshen '
],
'References' =>
[
['CVE', '2017-5255'],
['URL', 'https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-a
Metasploit
Cambium ePMP1000 'ping' Shell via Command Injection (up to v2.5)
metasploit
Cambium ePMP1000 'ping' Shell via Command Injection (up to v2.5)
Cambium ePMP1000 'ping' Shell via Command Injection (up to v2.5)
This module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell.
Metasploit
Cambium ePMP 1000 'get_chart' Command Injection (v3.1-3.5-RC7)
metasploit
Cambium ePMP 1000 'get_chart' Command Injection (v3.1-3.5-RC7)
Cambium ePMP 1000 'get_chart' Command Injection (v3.1-3.5-RC7)
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (v3.1-3.5-RC7) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system commands.
Metasploit
Cambium ePMP1000 'get_chart' Shell via Command Injection (v3.1-3.5-RC7)
metasploit
Cambium ePMP1000 'get_chart' Shell via Command Injection (v3.1-3.5-RC7)
Cambium ePMP1000 'get_chart' Shell via Command Injection (v3.1-3.5-RC7)
This module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell. The module has been tested on versions 3.1-3.5-RC7.
Metasploit
Cambium ePMP 1000 'ping' Command Injection (up to v2.5)
metasploit
Cambium ePMP 1000 'ping' Command Injection (up to v2.5)
Cambium ePMP 1000 'ping' Command Injection (up to v2.5)
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system commands.
No writeups or analysis indexed.
2017-12-20
Published