December 19, 2017 Karn Ganeshen

Cambium ePMP and cnPilot Multiple Vulnerabilities

Back in Sep 2017, I reported multiple 0-day vulnerabilities, in the Cambium ePMP and cnPilot product lines, to Rapid7 for a coordinated disclosure. The disclosure went smooth and easier than I had expected. Thanks Tod, Jon, & team.!

Rapid7 report is now available here:

All versions prior to ePMP v3.5.1 and cnPilot v4.4, are affected.

CVE-2017-5254ePMP v3.5Privilege escalation via client-side protection bypassFixed in v3.5.1
CVE-2017-5255ePMP v3.5Privilege escalation via command injectionFixed in v3.5.1
CVE-2017-5256ePMP v3.5Privilege escalation via XSSFixed in v3.5.1
CVE-2017-5257ePMP v3.5Privilege escalation via XSS via SNMP OIDs using RW accessFixed in v3.5.1
CVE-2017-5258ePMP v3.5Privilege escalation XSS via SNMP configuration upload using RW accessFixed in v3.5.1
CVE-2017-5259cnPilot v4.3.2-R4Privilege escalation via backdoor accessFixed in v4.4
CVE-2017-5260cnPilot v4.3.2-R4Privilege escalation via direct object referenceFixed in v4.4
CVE-2017-5261cnPilot v4.3.2-R4Critical information disclosure via file path traversal in ReadfileFixed in v4.4
CVE-2017-5262cnPilot v4.3.2-R4Privilege escalation via SNMP RO access to sensitive OIDsFixed in v4.4
CVE-2017-5263cnPilot v4.3.2-R4Lack of CSRF controlsUnpatched
NonecnPilot v4.3.2-R4, ePMP v3.5,
ePMP 1000 Hotspot v3.3
Shipping suspicious binariesUnresolved


This disclosure brings to you  4 new cnPilot modules, 4 new ePMP modules, 5 updated ePMP modules, and 2 new mixins for Cambium ePMP and cnPilot, for future modules.

All 13 Metasploit modules are ready to play with now. Check them out:


Tagged: , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *