cbcvebase.
CVE-2017-5260
published 2017-12-20

CVE-2017-5260: In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, although the option to access the configuration file is not available in the normal web…

PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
8.13%
94.1th percentile
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, although the option to access the configuration file is not available in the normal web administrative console for the 'user' account, the configuration file is accessible via direct object reference (DRO) at http:///goform/down_cfg_file by this otherwise low privilege 'user' account.

Affected

6 ranges
VendorProductVersion rangeFixed in
cambium_networkscnpilot
cambiumnetworkscnpilot_e400_firmware<= 4.3.2-r4
cambiumnetworkscnpilot_e410_firmware<= 4.3.2-r4
cambiumnetworkscnpilot_e600_firmware<= 4.3.2-r4
cambiumnetworkscnpilot_r190n_firmware<= 4.3.2-r4
cambiumnetworkscnpilot_r190v_firmware<= 4.3.2-r4

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<host>/goform/down_cfg_file
path/goform/down_cfg_file
  • Monitor HTTP GET requests to the path /goform/down_cfg_file on Cambium cnPilot devices, especially from low-privilege 'user' accounts, as this indicates exploitation of the IDOR vulnerability.
  • Detect login attempts and subsequent config dump requests targeting Cambium cnPilot r200/r201 management portals; the Metasploit module scans for these portals, attempts credential validation, and then retrieves the full device config via the IDOR endpoint.
  • The device configuration file is stored and returned in clear-text; if intercepted or exfiltrated, it will contain plaintext passwords and keys. Alert on large HTTP responses from /goform/down_cfg_file.
  • ·Vulnerability affects cnPilot firmware versions 4.3.2-R4 and prior only; patch or upgrade beyond this version to remediate.
  • ·The IDOR is exploitable by the built-in low-privilege 'user' account, which is a default account on the device alongside 'admin'. Both accounts should be reviewed and hardened.
  • ·The vulnerability is specific to Cambium cnPilot r200 and r201 hardware models.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.