12-19-2017 cnPilot R200/201 security advisory

Cambium Networks Security Advisory

CVE-2017-5259 Privilege escalation via backdoor access 9.0
CVE-2017-5260 Privilege escalation via direct object reference 9.0
CVE-2017-5261 Critical information disclosure via file path traversal in Readfile 6.8
CVE-2017-5262 Privilege escalation via SNMP RO access to sensitive OIDs 6.8


In cnPilot R200/R201 systems, an attacker can get admin-level access via multiple attack vectors including web interface and SNMP. It is critical to update all cnPilot R200/201 systems to the 4.3.4-R8 firmware.

Affected Products

cnPilot R200/201

Fixed in Software



It is recommended that users change default SNMP configuration. ePMP comes with the default “public” and “private” for RO (read only) and RW (read-write) community strings. Cambium recommends changing this to a random string consisting of eight or more characters in length, including both upper and lower case letters and numbers for variability.

It is also recommended to ensure that management(HTTP/HTTPs/SNMP) is not accessible from the Internet.

Exploitation and Public Announcements


Researcher Karn Ganeshen identified these vulnerabilities.

1 Like