CVE-2017-5254

HIGH

Cambium Networks ePMP <3.5 - Privilege Escalation

Title source: llm

Description

In version 3.5 and prior of Cambium Networks ePMP firmware, the non-administrative users 'installer' and 'home' have the capability of changing passwords for other accounts, including admin, after disabling a client-side protection mechanism.

Exploits (1)

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/epmp1000_reset_pass.rb

View Code ZIP pw:eip

References (1)

[Third Party Advisory, VDB Entry] https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/

Scores

CVSS v3 8.8

EPSS 0.6759

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-284 CWE-269

Status published

Products (3)

Cambium Networks/ePMP 3.5 and prior

cambiumnetworks/epmp_1000_firmware < 3.5

cambiumnetworks/epmp_2000_firmware < 3.5

Published Dec 20, 2017

Tracked Since Feb 18, 2026