CVE-2017-5260

HIGH

Cambium Networks cnPilot <4.3.2-R4 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-5260. Includes Metasploit module auxiliary/scanner/http/cnpilot_r_web_login_loot.

AI-analyzed exploit summary This Metasploit module scans for Cambium cnPilot r200/r201 devices, attempts to authenticate using provided credentials, and dumps the device configuration. It exploits an access control vulnerability (CVE-2017-5260) where the 'user' account can access full device configuration.

Description

In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, although the option to access the configuration file is not available in the normal web administrative console for the 'user' account, the configuration file is accessible via direct object reference (DRO) at http://<device-ip-or-hostname>/goform/down_cfg_file by this otherwise low privilege 'user' account.

Exploits (1)

metasploit SCANNER

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/cnpilot_r_web_login_loot.rb

View Code ZIP pw:eip

This Metasploit module scans for Cambium cnPilot r200/r201 devices, attempts to authenticate using provided credentials, and dumps the device configuration. It exploits an access control vulnerability (CVE-2017-5260) where the 'user' account can access full device configuration.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Cambium cnPilot r200/r201

Auth required

Prerequisites: Network access to the target device · Valid credentials (default or known)

MITRE ATT&CK

T1087.001 - Local Account T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_refsource_misc

https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/

Scores

CVSS v3 8.8

EPSS 0.0813

EPSS Percentile 94.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-472 CWE-732

Status published

Products (6)

Cambium Networks/cnPilot 4.3.2-R4 and prior

cambiumnetworks/cnpilot_e400_firmware < 4.3.2-r4

cambiumnetworks/cnpilot_e410_firmware < 4.3.2-r4

cambiumnetworks/cnpilot_e600_firmware < 4.3.2-r4

cambiumnetworks/cnpilot_r190n_firmware < 4.3.2-r4

cambiumnetworks/cnpilot_r190v_firmware < 4.3.2-r4

Published Dec 20, 2017

Tracked Since Feb 18, 2026