March 29, 2017 Karn Ganeshen

3 New Metasploit Modules for Cambium ePMP Landed

Back in 2015, I had reported multiple vulnerabilities in Cambium ePMP 1000 appliances. I finally submitted Metasploit modules for testing ePMP devices. Check them out.

Cambium ePMP 1000 – Multiple vulnerabilities

Cambium ePMP 1000 Login Scanner

This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. Default login credentials are – admin/admin, installer/installer, home/home and readonly/readonly.

Cambium ePMP 1000 Password Hash Extractor

This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials – admin/admin, installer/installer, home/home – to dump system hashes.


Cambium ePMP 1000 Dump Device Config

This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts – admin/admin, installer/installer, home/home, and readonly/readonly. This module requires any one of the following login credentials – admin / installer / home – to dump device configuration file.




Leave a Reply

Your email address will not be published. Required fields are marked *