// For flags

CVE-2017-5255

Cambium ePMP1000 - 'get_chart' Shell via Command Injection

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any authenticated user (including the otherwise low-privilege readonly user) to inject shell meta-characters as part of a specially-crafted POST request to the get_chart function and run OS-level commands, effectively as root.

En versiones de firmware 3.5 y anteriores de Cambium Networks ePMP, la falta de saneamiento de valores de entrada para determinados parámetros en la consola de gestión web permite que cualquier usuario autenticado (incluyendo el usuario de privilegios bajos readonly) inyecte metacaracteres shell como parte de una petición POST especialmente manipulada en la función get_chart y ejecute comandos a nivel de sistema operativo de manera efectiva como root.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-01-09 CVE Reserved
  • 2017-12-20 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-08-05 First Exploit
  • 2024-10-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cambiumnetworks
Search vendor "Cambiumnetworks"
 Epmp 1000 Firmware
Search vendor "Cambiumnetworks" for product "Epmp 1000 Firmware"
 <= 3.5
Search vendor "Cambiumnetworks" for product "Epmp 1000 Firmware" and version " <= 3.5"
-
Affected
in Cambiumnetworks
Search vendor "Cambiumnetworks"
 Epmp 1000
Search vendor "Cambiumnetworks" for product "Epmp 1000"
--
Safe
Cambiumnetworks
Search vendor "Cambiumnetworks"
 Epmp 2000 Firmware
Search vendor "Cambiumnetworks" for product "Epmp 2000 Firmware"
 <= 3.5
Search vendor "Cambiumnetworks" for product "Epmp 2000 Firmware" and version " <= 3.5"
-
Affected
in Cambiumnetworks
Search vendor "Cambiumnetworks"
 Epmp 2000
Search vendor "Cambiumnetworks" for product "Epmp 2000"
--
Safe