CVE-2017-5255

HIGH

Cambium Networks ePMP <3.5 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2017-5255. PoCs published by Metasploit, including Metasploit module auxiliary/scanner/http/epmp1000_ping_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits an OS command injection vulnerability in Cambium ePMP1000 device management portal via the 'get_chart' endpoint. It authenticates using default credentials and injects a reverse shell payload.

Description

In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any authenticated user (including the otherwise low-privilege readonly user) to inject shell meta-characters as part of a specially-crafted POST request to the get_chart function and run OS-level commands, effectively as root.

Exploits (5)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotecgi

https://www.exploit-db.com/exploits/43413

View Code ZIP pw:eip

This Metasploit module exploits an OS command injection vulnerability in Cambium ePMP1000 device management portal via the 'get_chart' endpoint. It authenticates using default credentials and injects a reverse shell payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cambium ePMP1000 versions 3.1-3.5-RC7

Auth required

Prerequisites: Network access to the target device · Valid credentials (admin/admin, installer/installer, or home/home)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/epmp1000_ping_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Cambium ePMP 1000 devices (versions <2.5) via the 'ping' functionality. It authenticates using default credentials and injects arbitrary commands through the 'packets_num' parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Cambium ePMP 1000 <v2.5

Auth required

Prerequisites: Network access to the target device · Valid credentials (admin/admin, installer/installer, home/home)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/epmp1000_get_chart_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an OS command injection vulnerability in Cambium ePMP 1000 devices (versions 3.1-3.5-RC7) by injecting commands into the 'timestamp' parameter of the 'get_chart' endpoint. It requires authentication with default credentials.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cambium ePMP 1000 (v3.1-3.5-RC7)

Auth required

Prerequisites: Network access to the target device · Valid credentials (admin/admin, installer/installer, home/home)

MITRE ATT&CK

T1202 - Indirect Command Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/epmp1000_ping_cmd_shell.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Cambium ePMP1000 devices (up to v2.5) via the 'ping' functionality, allowing authenticated users to execute arbitrary commands and obtain a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cambium ePMP1000 (up to v2.5)

Auth required

Prerequisites: Valid credentials (admin/admin, installer/installer, home/home) · Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/epmp1000_get_chart_cmd_shell.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Cambium ePMP1000 devices via the 'get_chart' endpoint, allowing authenticated users to execute arbitrary commands and obtain a reverse shell. It targets versions 3.1-3.5-RC7 and requires valid credentials.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cambium ePMP1000 (versions 3.1-3.5-RC7)

Auth required

Prerequisites: Valid credentials (admin/admin, installer/installer, or home/home) · Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43413/

Third Party Advisory x_refsource_misc

https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/

Scores

CVSS v3 8.8

EPSS 0.7142

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (3)

Cambium Networks/ePMP 3.5 and prior

cambiumnetworks/epmp_1000_firmware < 3.5

cambiumnetworks/epmp_2000_firmware < 3.5

Published Dec 20, 2017

Tracked Since Feb 18, 2026