CVE-2015-9266

Ubiquiti airOS HTTP(S) unauthenticated arbitrary file upload

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2.

La interfaz web de gestión de Ubiquiti airMAX, airFiber, airGateway y EdgeSwitch XP (anteriormente TOUGHSwitch) permite que un atacante no autenticado suba y escriba archivos arbitrarios mediante técnicas de salto de directorio. Un atacante podría explotar esta vulnerabilidad para obtener privilegios root. La vulnerabilidad se soluciona en las siguientes versiones del producto (soluciones lanzadas en julio de 2015, todas las versiones anteriores se han visto afectadas): airMAX AC 7.1.3; airMAX M (y airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI y 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1 y AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; y EdgeSwitch XP (anteriormente TOUGHSwitch) 1.3.2.

*Credits: This vulnerability was reported by 93c08539.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-09-04 CVE Reserved
2018-09-05 CVE Published
2024-01-27 EPSS Updated
2024-08-06 CVE Updated
2024-08-06 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (7)

URL	Tag	Source
https://hackerone.com/reports/73480	Issue Tracking

URL	Date	SRC
https://www.exploit-db.com/exploits/39701	2024-08-06
https://www.exploit-db.com/exploits/39853	2024-08-06
https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_upload	2024-08-06

URL	Date	SRC
https://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494	2021-08-12

URL	Date	SRC
https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940	2021-08-12
https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949	2021-08-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ui Search vendor "Ui"	Airmax Ac Firmware Search vendor "Ui" for product "Airmax Ac Firmware"	7.1.3 Search vendor "Ui" for product "Airmax Ac Firmware" and version "7.1.3"	-	Affected	in	Ui Search vendor "Ui"	Airmax Ac Search vendor "Ui" for product "Airmax Ac"	-	-	Safe
Ui Search vendor "Ui"	Airmax M Xm Firmware Search vendor "Ui" for product "Airmax M Xm Firmware"	< 5.6.2 Search vendor "Ui" for product "Airmax M Xm Firmware" and version " < 5.6.2"	-	Affected	in	Ui Search vendor "Ui"	Airmax M Xm Search vendor "Ui" for product "Airmax M Xm"	-	-	Safe
Ui Search vendor "Ui"	Airmax M Xw Firmware Search vendor "Ui" for product "Airmax M Xw Firmware"	< 5.6.2 Search vendor "Ui" for product "Airmax M Xw Firmware" and version " < 5.6.2"	-	Affected	in	Ui Search vendor "Ui"	Airmax M Xw Search vendor "Ui" for product "Airmax M Xw"	-	-	Safe
Ui Search vendor "Ui"	Airmax M Ti Firmware Search vendor "Ui" for product "Airmax M Ti Firmware"	< 5.6.2 Search vendor "Ui" for product "Airmax M Ti Firmware" and version " < 5.6.2"	-	Affected	in	Ui Search vendor "Ui"	Airmax M Ti Search vendor "Ui" for product "Airmax M Ti"	-	-	Safe
Ui Search vendor "Ui"	Airgateway Firmware Search vendor "Ui" for product "Airgateway Firmware"	< 1.15 Search vendor "Ui" for product "Airgateway Firmware" and version " < 1.15"	-	Affected	in	Ui Search vendor "Ui"	Airgateway Search vendor "Ui" for product "Airgateway"	-	-	Safe
Ui Search vendor "Ui"	Airfiber Af24 Firmware Search vendor "Ui" for product "Airfiber Af24 Firmware"	< 2.2.1 Search vendor "Ui" for product "Airfiber Af24 Firmware" and version " < 2.2.1"	-	Affected	in	Ui Search vendor "Ui"	Airfiber Af24 Search vendor "Ui" for product "Airfiber Af24"	-	-	Safe
Ui Search vendor "Ui"	Airfiber Af24hd Firmware Search vendor "Ui" for product "Airfiber Af24hd Firmware"	< 2.2.1 Search vendor "Ui" for product "Airfiber Af24hd Firmware" and version " < 2.2.1"	-	Affected	in	Ui Search vendor "Ui"	Airfiber Af24hd Search vendor "Ui" for product "Airfiber Af24hd"	-	-	Safe
Ui Search vendor "Ui"	Af5x Firmware Search vendor "Ui" for product "Af5x Firmware"	< 3.0.2.1 Search vendor "Ui" for product "Af5x Firmware" and version " < 3.0.2.1"	-	Affected	in	Ui Search vendor "Ui"	Af5x Search vendor "Ui" for product "Af5x"	-	-	Safe
Ui Search vendor "Ui"	Af5 Firmware Search vendor "Ui" for product "Af5 Firmware"	< 2.2.1 Search vendor "Ui" for product "Af5 Firmware" and version " < 2.2.1"	-	Affected	in	Ui Search vendor "Ui"	Af5 Search vendor "Ui" for product "Af5"	-	-	Safe
Ubnt Search vendor "Ubnt"	Airos 4 Xs2 Search vendor "Ubnt" for product "Airos 4 Xs2"	< 4.0.4 Search vendor "Ubnt" for product "Airos 4 Xs2" and version " < 4.0.4"	-	Affected	in	Ui Search vendor "Ui"	Airmax Ac Search vendor "Ui" for product "Airmax Ac"	-	-	Safe
Ubnt Search vendor "Ubnt"	Airos 4 Xs2 Search vendor "Ubnt" for product "Airos 4 Xs2"	< 4.0.4 Search vendor "Ubnt" for product "Airos 4 Xs2" and version " < 4.0.4"	-	Affected	in	Ui Search vendor "Ui"	Airmax M Search vendor "Ui" for product "Airmax M"	-	-	Safe
Ubnt Search vendor "Ubnt"	Airos 4 Xs5 Search vendor "Ubnt" for product "Airos 4 Xs5"	< 4.0.4 Search vendor "Ubnt" for product "Airos 4 Xs5" and version " < 4.0.4"	-	Affected	in	Ui Search vendor "Ui"	Airmax Ac Search vendor "Ui" for product "Airmax Ac"	-	-	Safe
Ubnt Search vendor "Ubnt"	Airos 4 Xs5 Search vendor "Ubnt" for product "Airos 4 Xs5"	< 4.0.4 Search vendor "Ubnt" for product "Airos 4 Xs5" and version " < 4.0.4"	-	Affected	in	Ui Search vendor "Ui"	Airmax M Search vendor "Ui" for product "Airmax M"	-	-	Safe
Ubnt Search vendor "Ubnt"	Edgeswitch Xp Firmware Search vendor "Ubnt" for product "Edgeswitch Xp Firmware"	< 1.3.2 Search vendor "Ubnt" for product "Edgeswitch Xp Firmware" and version " < 1.3.2"	-	Affected	in	Ui Search vendor "Ui"	Edgeswitch Xp Search vendor "Ui" for product "Edgeswitch Xp"	-	-	Safe