CVE-2017-5260

HIGH

Cambium Networks cnPilot <4.3.2-R4 - Info Disclosure

Title source: llm

Description

In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, although the option to access the configuration file is not available in the normal web administrative console for the 'user' account, the configuration file is accessible via direct object reference (DRO) at http://<device-ip-or-hostname>/goform/down_cfg_file by this otherwise low privilege 'user' account.

Exploits (1)

metasploit SCANNER

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/cnpilot_r_web_login_loot.rb

View Code ZIP pw:eip

References (1)

[Third Party Advisory] https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/

Scores

CVSS v3 8.8

EPSS 0.3339

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-472 CWE-732

Status draft

Affected Products (5)

cambiumnetworks/cnpilot_r190v_firmware < 4.3.2-r4

cambiumnetworks/cnpilot_e410_firmware < 4.3.2-r4

cambiumnetworks/cnpilot_r190n_firmware < 4.3.2-r4

cambiumnetworks/cnpilot_e400_firmware < 4.3.2-r4

cambiumnetworks/cnpilot_e600_firmware < 4.3.2-r4

Timeline

Published Dec 20, 2017

Tracked Since Feb 18, 2026