Back in Sep 2017, I reported multiple 0-day vulnerabilities, in the Cambium ePMP and cnPilot product lines, to Rapid7 for a coordinated disclosure. The disclosure went smooth and easier than I had expected. Thanks Tod, Jon, & team.!
Rapid7 report is now available here:
All versions prior to ePMP v3.5.1 and cnPilot v4.4, are affected. This disclosure brings to you 10 CVEs, 4 new cnPilot modules, 4 new ePMP modules, 5 updated ePMP modules, and 2 new mixins for Cambium ePMP and cnPilot, for future modules.
All 13 Metasploit modules are ready to play with now.
Read on for details..
Back in April 2017, I posted SNMP vulnerabilities in Cambium ePMP devices.
ICS-CERT has now published the advisory for Cambium ePMP SNMP vulnerabilities:
Vendor: Cambium Networks
Vulnerabilities: Improper Access Control, Improper Privilege Management
Cambium ePMP product security, putting it mildly, needs considerable improvement. I will be publishing another set of fresh reports on Cambium devices soon. In case you are using ePMP boxes, or other Cambium appliances, please ensure:
1. your devices are not accessible publicly
2. default account passwords & SNMP community strings are changed to strong values
3. SNMP is filtered at the firewall.
Read on for details.