CVE-2017-5254

HIGH

Cambium Networks ePMP <3.5 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-5254. Includes Metasploit module auxiliary/scanner/http/epmp1000_reset_pass.

AI-analyzed exploit summary This Metasploit module exploits an access control vulnerability in Cambium ePMP devices to reset passwords of existing users, including admin, using non-admin credentials. It targets versions 3.0-3.5-RC7 by sending a crafted POST request to change the password.

Description

In version 3.5 and prior of Cambium Networks ePMP firmware, the non-administrative users 'installer' and 'home' have the capability of changing passwords for other accounts, including admin, after disabling a client-side protection mechanism.

Exploits (1)

metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/epmp1000_reset_pass.rb

This Metasploit module exploits an access control vulnerability in Cambium ePMP devices to reset passwords of existing users, including admin, using non-admin credentials. It targets versions 3.0-3.5-RC7 by sending a crafted POST request to change the password.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Cambium ePMP 1000 <=3.5
Auth required
Prerequisites: Valid non-admin credentials (installer/installer or home/home) · Network access to the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.5370
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-269 CWE-284
Status published
Products (3)
Cambium Networks/ePMP 3.5 and prior
cambiumnetworks/epmp_1000_firmware < 3.5
cambiumnetworks/epmp_2000_firmware < 3.5
Published Dec 20, 2017
Tracked Since Feb 18, 2026