// For flags

CVE-2015-9266

Ubiquiti airOS HTTP(S) unauthenticated arbitrary file upload

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2.

La interfaz web de gestión de Ubiquiti airMAX, airFiber, airGateway y EdgeSwitch XP (anteriormente TOUGHSwitch) permite que un atacante no autenticado suba y escriba archivos arbitrarios mediante técnicas de salto de directorio. Un atacante podría explotar esta vulnerabilidad para obtener privilegios root. La vulnerabilidad se soluciona en las siguientes versiones del producto (soluciones lanzadas en julio de 2015, todas las versiones anteriores se han visto afectadas): airMAX AC 7.1.3; airMAX M (y airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI y 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1 y AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; y EdgeSwitch XP (anteriormente TOUGHSwitch) 1.3.2.

*Credits: This vulnerability was reported by 93c08539.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-09-04 CVE Reserved
  • 2018-09-05 CVE Published
  • 2024-01-27 EPSS Updated
  • 2024-08-06 CVE Updated
  • 2024-08-06 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ui
Search vendor "Ui"
Airmax Ac Firmware
Search vendor "Ui" for product "Airmax Ac Firmware"
7.1.3
Search vendor "Ui" for product "Airmax Ac Firmware" and version "7.1.3"
-
Affected
in Ui
Search vendor "Ui"
Airmax Ac
Search vendor "Ui" for product "Airmax Ac"
--
Safe
Ui
Search vendor "Ui"
Airmax M Xm Firmware
Search vendor "Ui" for product "Airmax M Xm Firmware"
< 5.6.2
Search vendor "Ui" for product "Airmax M Xm Firmware" and version " < 5.6.2"
-
Affected
in Ui
Search vendor "Ui"
Airmax M Xm
Search vendor "Ui" for product "Airmax M Xm"
--
Safe
Ui
Search vendor "Ui"
Airmax M Xw Firmware
Search vendor "Ui" for product "Airmax M Xw Firmware"
< 5.6.2
Search vendor "Ui" for product "Airmax M Xw Firmware" and version " < 5.6.2"
-
Affected
in Ui
Search vendor "Ui"
Airmax M Xw
Search vendor "Ui" for product "Airmax M Xw"
--
Safe
Ui
Search vendor "Ui"
Airmax M Ti Firmware
Search vendor "Ui" for product "Airmax M Ti Firmware"
< 5.6.2
Search vendor "Ui" for product "Airmax M Ti Firmware" and version " < 5.6.2"
-
Affected
in Ui
Search vendor "Ui"
Airmax M Ti
Search vendor "Ui" for product "Airmax M Ti"
--
Safe
Ui
Search vendor "Ui"
Airgateway Firmware
Search vendor "Ui" for product "Airgateway Firmware"
< 1.15
Search vendor "Ui" for product "Airgateway Firmware" and version " < 1.15"
-
Affected
in Ui
Search vendor "Ui"
Airgateway
Search vendor "Ui" for product "Airgateway"
--
Safe
Ui
Search vendor "Ui"
Airfiber Af24 Firmware
Search vendor "Ui" for product "Airfiber Af24 Firmware"
< 2.2.1
Search vendor "Ui" for product "Airfiber Af24 Firmware" and version " < 2.2.1"
-
Affected
in Ui
Search vendor "Ui"
Airfiber Af24
Search vendor "Ui" for product "Airfiber Af24"
--
Safe
Ui
Search vendor "Ui"
Airfiber Af24hd Firmware
Search vendor "Ui" for product "Airfiber Af24hd Firmware"
< 2.2.1
Search vendor "Ui" for product "Airfiber Af24hd Firmware" and version " < 2.2.1"
-
Affected
in Ui
Search vendor "Ui"
Airfiber Af24hd
Search vendor "Ui" for product "Airfiber Af24hd"
--
Safe
Ui
Search vendor "Ui"
Af5x Firmware
Search vendor "Ui" for product "Af5x Firmware"
< 3.0.2.1
Search vendor "Ui" for product "Af5x Firmware" and version " < 3.0.2.1"
-
Affected
in Ui
Search vendor "Ui"
Af5x
Search vendor "Ui" for product "Af5x"
--
Safe
Ui
Search vendor "Ui"
Af5 Firmware
Search vendor "Ui" for product "Af5 Firmware"
< 2.2.1
Search vendor "Ui" for product "Af5 Firmware" and version " < 2.2.1"
-
Affected
in Ui
Search vendor "Ui"
Af5
Search vendor "Ui" for product "Af5"
--
Safe
Ubnt
Search vendor "Ubnt"
Airos 4 Xs2
Search vendor "Ubnt" for product "Airos 4 Xs2"
< 4.0.4
Search vendor "Ubnt" for product "Airos 4 Xs2" and version " < 4.0.4"
-
Affected
in Ui
Search vendor "Ui"
Airmax Ac
Search vendor "Ui" for product "Airmax Ac"
--
Safe
Ubnt
Search vendor "Ubnt"
Airos 4 Xs2
Search vendor "Ubnt" for product "Airos 4 Xs2"
< 4.0.4
Search vendor "Ubnt" for product "Airos 4 Xs2" and version " < 4.0.4"
-
Affected
in Ui
Search vendor "Ui"
Airmax M
Search vendor "Ui" for product "Airmax M"
--
Safe
Ubnt
Search vendor "Ubnt"
Airos 4 Xs5
Search vendor "Ubnt" for product "Airos 4 Xs5"
< 4.0.4
Search vendor "Ubnt" for product "Airos 4 Xs5" and version " < 4.0.4"
-
Affected
in Ui
Search vendor "Ui"
Airmax Ac
Search vendor "Ui" for product "Airmax Ac"
--
Safe
Ubnt
Search vendor "Ubnt"
Airos 4 Xs5
Search vendor "Ubnt" for product "Airos 4 Xs5"
< 4.0.4
Search vendor "Ubnt" for product "Airos 4 Xs5" and version " < 4.0.4"
-
Affected
in Ui
Search vendor "Ui"
Airmax M
Search vendor "Ui" for product "Airmax M"
--
Safe
Ubnt
Search vendor "Ubnt"
Edgeswitch Xp Firmware
Search vendor "Ubnt" for product "Edgeswitch Xp Firmware"
< 1.3.2
Search vendor "Ubnt" for product "Edgeswitch Xp Firmware" and version " < 1.3.2"
-
Affected
in Ui
Search vendor "Ui"
Edgeswitch Xp
Search vendor "Ui" for product "Edgeswitch Xp"
--
Safe