Vulnerability Details : CVE-2015-9266
The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2.
Vulnerability category: Directory traversal
Products affected by CVE-2015-9266
- cpe:2.3:o:ubnt:airos_4_xs5:*:*:*:*:*:*:*:*
- cpe:2.3:o:ubnt:airos_4_xs2:*:*:*:*:*:*:*:*
- cpe:2.3:o:ubnt:edgeswitch_xp_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ui:airmax_ac_firmware:7.1.3:*:*:*:*:*:*:*
- cpe:2.3:o:ui:airmax_m_xm_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ui:airmax_m_xw_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ui:airmax_m_ti_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ui:airgateway_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ui:airfiber_af24_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ui:airfiber_af24hd_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ui:af5x_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ui:af5_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-9266
1.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-9266
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
MITRE | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2015-9266
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-9266
-
https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940
Virus attack - URGENT @UBNT | Ubiquiti CommunityVendor Advisory
-
https://hackerone.com/reports/73480
#73480 Arbritrary file Upload on AirMaxIssue Tracking;Third Party Advisory
-
https://www.exploit-db.com/exploits/39701/
AirOS 6.x - Arbitrary File UploadExploit;Third Party Advisory;VDB Entry
-
https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_upload
Ubiquiti airOS Arbitrary File UploadExploit;Third Party Advisory
-
https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949
Important Security Notice and airOS 5.6.5 Release | Ubiquiti CommunityVendor Advisory
-
https://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494
- | Ubiquiti CommunityPatch;Vendor Advisory
-
https://www.exploit-db.com/exploits/39853/
Ubiquiti airOS - Arbitrary File Upload (Metasploit)Exploit;Third Party Advisory;VDB Entry
Jump to