CVE-2015-9266
Ubiquiti airOS HTTP(S) unauthenticated arbitrary file upload
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2.
La interfaz web de gestión de Ubiquiti airMAX, airFiber, airGateway y EdgeSwitch XP (anteriormente TOUGHSwitch) permite que un atacante no autenticado suba y escriba archivos arbitrarios mediante técnicas de salto de directorio. Un atacante podría explotar esta vulnerabilidad para obtener privilegios root. La vulnerabilidad se soluciona en las siguientes versiones del producto (soluciones lanzadas en julio de 2015, todas las versiones anteriores se han visto afectadas): airMAX AC 7.1.3; airMAX M (y airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI y 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1 y AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; y EdgeSwitch XP (anteriormente TOUGHSwitch) 1.3.2.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-09-04 CVE Reserved
- 2018-09-05 CVE Published
- 2024-01-27 EPSS Updated
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://hackerone.com/reports/73480 | Issue Tracking |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/39701 | 2024-08-06 | |
https://www.exploit-db.com/exploits/39853 | 2024-08-06 | |
https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_upload | 2024-08-06 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Ui Search vendor "Ui" | Airmax Ac Firmware Search vendor "Ui" for product "Airmax Ac Firmware" | 7.1.3 Search vendor "Ui" for product "Airmax Ac Firmware" and version "7.1.3" | - |
Affected
| in | Ui Search vendor "Ui" | Airmax Ac Search vendor "Ui" for product "Airmax Ac" | - | - |
Safe
|
Ui Search vendor "Ui" | Airmax M Xm Firmware Search vendor "Ui" for product "Airmax M Xm Firmware" | < 5.6.2 Search vendor "Ui" for product "Airmax M Xm Firmware" and version " < 5.6.2" | - |
Affected
| in | Ui Search vendor "Ui" | Airmax M Xm Search vendor "Ui" for product "Airmax M Xm" | - | - |
Safe
|
Ui Search vendor "Ui" | Airmax M Xw Firmware Search vendor "Ui" for product "Airmax M Xw Firmware" | < 5.6.2 Search vendor "Ui" for product "Airmax M Xw Firmware" and version " < 5.6.2" | - |
Affected
| in | Ui Search vendor "Ui" | Airmax M Xw Search vendor "Ui" for product "Airmax M Xw" | - | - |
Safe
|
Ui Search vendor "Ui" | Airmax M Ti Firmware Search vendor "Ui" for product "Airmax M Ti Firmware" | < 5.6.2 Search vendor "Ui" for product "Airmax M Ti Firmware" and version " < 5.6.2" | - |
Affected
| in | Ui Search vendor "Ui" | Airmax M Ti Search vendor "Ui" for product "Airmax M Ti" | - | - |
Safe
|
Ui Search vendor "Ui" | Airgateway Firmware Search vendor "Ui" for product "Airgateway Firmware" | < 1.15 Search vendor "Ui" for product "Airgateway Firmware" and version " < 1.15" | - |
Affected
| in | Ui Search vendor "Ui" | Airgateway Search vendor "Ui" for product "Airgateway" | - | - |
Safe
|
Ui Search vendor "Ui" | Airfiber Af24 Firmware Search vendor "Ui" for product "Airfiber Af24 Firmware" | < 2.2.1 Search vendor "Ui" for product "Airfiber Af24 Firmware" and version " < 2.2.1" | - |
Affected
| in | Ui Search vendor "Ui" | Airfiber Af24 Search vendor "Ui" for product "Airfiber Af24" | - | - |
Safe
|
Ui Search vendor "Ui" | Airfiber Af24hd Firmware Search vendor "Ui" for product "Airfiber Af24hd Firmware" | < 2.2.1 Search vendor "Ui" for product "Airfiber Af24hd Firmware" and version " < 2.2.1" | - |
Affected
| in | Ui Search vendor "Ui" | Airfiber Af24hd Search vendor "Ui" for product "Airfiber Af24hd" | - | - |
Safe
|
Ui Search vendor "Ui" | Af5x Firmware Search vendor "Ui" for product "Af5x Firmware" | < 3.0.2.1 Search vendor "Ui" for product "Af5x Firmware" and version " < 3.0.2.1" | - |
Affected
| in | Ui Search vendor "Ui" | Af5x Search vendor "Ui" for product "Af5x" | - | - |
Safe
|
Ui Search vendor "Ui" | Af5 Firmware Search vendor "Ui" for product "Af5 Firmware" | < 2.2.1 Search vendor "Ui" for product "Af5 Firmware" and version " < 2.2.1" | - |
Affected
| in | Ui Search vendor "Ui" | Af5 Search vendor "Ui" for product "Af5" | - | - |
Safe
|
Ubnt Search vendor "Ubnt" | Airos 4 Xs2 Search vendor "Ubnt" for product "Airos 4 Xs2" | < 4.0.4 Search vendor "Ubnt" for product "Airos 4 Xs2" and version " < 4.0.4" | - |
Affected
| in | Ui Search vendor "Ui" | Airmax Ac Search vendor "Ui" for product "Airmax Ac" | - | - |
Safe
|
Ubnt Search vendor "Ubnt" | Airos 4 Xs2 Search vendor "Ubnt" for product "Airos 4 Xs2" | < 4.0.4 Search vendor "Ubnt" for product "Airos 4 Xs2" and version " < 4.0.4" | - |
Affected
| in | Ui Search vendor "Ui" | Airmax M Search vendor "Ui" for product "Airmax M" | - | - |
Safe
|
Ubnt Search vendor "Ubnt" | Airos 4 Xs5 Search vendor "Ubnt" for product "Airos 4 Xs5" | < 4.0.4 Search vendor "Ubnt" for product "Airos 4 Xs5" and version " < 4.0.4" | - |
Affected
| in | Ui Search vendor "Ui" | Airmax Ac Search vendor "Ui" for product "Airmax Ac" | - | - |
Safe
|
Ubnt Search vendor "Ubnt" | Airos 4 Xs5 Search vendor "Ubnt" for product "Airos 4 Xs5" | < 4.0.4 Search vendor "Ubnt" for product "Airos 4 Xs5" and version " < 4.0.4" | - |
Affected
| in | Ui Search vendor "Ui" | Airmax M Search vendor "Ui" for product "Airmax M" | - | - |
Safe
|
Ubnt Search vendor "Ubnt" | Edgeswitch Xp Firmware Search vendor "Ubnt" for product "Edgeswitch Xp Firmware" | < 1.3.2 Search vendor "Ubnt" for product "Edgeswitch Xp Firmware" and version " < 1.3.2" | - |
Affected
| in | Ui Search vendor "Ui" | Edgeswitch Xp Search vendor "Ui" for product "Edgeswitch Xp" | - | - |
Safe
|