cbcvebase.
CVE-2017-5259
published 2017-12-20

CVE-2017-5259: In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path…

PriorityP183high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.18%
98.4th percentile
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https:///adm/syscmd.asp.

Affected

9 ranges
VendorProductVersion rangeFixed in
cambium_networkscnpilot
cambiumnetworkscnpilot_e400_firmware<= 4.3.2-r4
cambiumnetworkscnpilot_e410_firmware<= 4.3.2-r4
cambiumnetworkscnpilot_e600_firmware<= 4.3.2-r4
cambiumnetworkscnpilot_r190n_firmware<= 4.3.2-r4
cambiumnetworkscnpilot_r190v_firmware<= 4.3.2-r4
cron_projectcron>= 0 < 3.0pl1-128.1ubuntu1.13.0pl1-128.1ubuntu1.1
cron_projectcron>= 0 < 3.0pl1-128.1ubuntu1.23.0pl1-128.1ubuntu1.2
cron_projectcron>= 0 < 3.0pl1-128ubuntu2+esm23.0pl1-128ubuntu2+esm2

Detection & IOCsextracted from sources · hover to see the quote

path/adm/syscmd.asp
  • Detect HTTP requests to the undocumented web shell path /adm/syscmd.asp on Cambium cnPilot devices, which provides root-privilege command execution to any authenticated user.
  • Flag any authenticated HTTP access to /adm/syscmd.asp on cnPilot r200/r201 devices running firmware versions 4.2.3-R4 through 4.3.3-R4 as exploitation of the backdoor shell.
  • Monitor for arbitrary OS command execution originating from the web shell path /adm/syscmd.asp running as root on Cambium cnPilot devices.
  • ·The backdoor shell is accessible to ANY authenticated user, not just administrators — authentication alone is insufficient as a control boundary.
  • ·Affected firmware version range spans 4.2.3-R4 to 4.3.3-R4 per Metasploit module, while NVD states 4.3.2-R4 and prior — detections should cover the broader range.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv6.7MEDIUM
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.