Vulnerability Details : CVE-2017-5255
Public exploit exists!
In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any authenticated user (including the otherwise low-privilege readonly user) to inject shell meta-characters as part of a specially-crafted POST request to the get_chart function and run OS-level commands, effectively as root.
Products affected by CVE-2017-5255
- cpe:2.3:o:cambiumnetworks:epmp_1000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cambiumnetworks:epmp_2000_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-5255
20.80%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2017-5255
-
Cambium ePMP1000 'get_chart' Shell via Command Injection (v3.1-3.5-RC7)
Disclosure Date: 2017-12-18First seen: 2020-04-26exploit/unix/http/epmp1000_get_chart_cmd_shellThis module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell. The module has be -
Cambium ePMP1000 'ping' Shell via Command Injection (up to v2.5)
Disclosure Date: 2015-11-28First seen: 2020-04-26exploit/unix/http/epmp1000_ping_cmd_shellThis module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell. Authors: -
Cambium ePMP 1000 'get_chart' Command Injection (v3.1-3.5-RC7)
First seen: 2020-04-26auxiliary/scanner/http/epmp1000_get_chart_cmd_execThis module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (v3.1-3.5-RC7) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system command
CVSS scores for CVE-2017-5255
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-5255
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- cve@rapid7.con (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2017-5255
-
https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
R7-2017-25: Cambium ePMP and cnPilot Multiple VulnerabilitiesThird Party Advisory
-
https://www.exploit-db.com/exploits/43413/
Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)Third Party Advisory;VDB Entry
Jump to