Bug? Arbitrary code execution on cli?

Looking how to add a static route in my epmp1000 operating in Nat mode. I decide to use de cli and after some attempts to execute the command “ip route add 172…” i found this way:

ROUTERNAME>tcpdump “$(sh)”
id > /var/tddstats_acs_init
uid=1000(admin) gid=4(adm) groups=4(adm)

I don’t have idea for what reason cambium don’t permit access to a shell!
so passing a escape shell to the tcpdump we can exec arbitrary commands with the user admin
the lua script block the out in the termimal, bypass this redirecting the ouput to/var/tddstats_acs_init and using a command show acs. to work in a more comfortable way i tried to open a shell using netcat but the busybox version don’t support Listening.
At the moment its not possible to have root access.

Nb: If anybody have ide how to add a static route in a epmp1000 working in nat mode please tellme!
my config is like this:

INTERNET|–<EPMP pppoe(internet)>-----LAN----|ROUTER|—LAN2
i want to add the lan2 route path using static route, but its unavailable on NAT mode the options appears wen choise ROUTER Mode

Considering adding a route to a nat defeats the purpose of nat, I suggest you better define what you are trying to accomplish.

You are using pppoe, this is a access control method for l2 only, so unless you are using pppoe to a tower router, then you have a bridged network to a bras (bng). No need to add routes to down stream devices, just to the bras.

If you are trying to route a subnet to a client then drop the pppoe on the epmp and either use bridged mode to a provided router that can authenticate using pppoe and then route from the pppoe connection to the client connection or use the routed feature of the epmp and route without pppoe. For this I highly suggest eap-ttls to authenticate bridged and routed SMs to provent theft and give control to the SM and service. If you use radius with sql backend then this can easily pass new configuration changes with only a simple session drop to make them effective.

My actual config is this:

So i want to reach the network from network
so if necessary to add a static route on to the epmp indicating is the gateway to reach the network
at the same time i want to nat the network and maps some tcp ports

at the moment the only way is configuring the second router in nat mode… but in this case i cant reach the network from from

in the pass this configuration worked well the but the antenna was an ubiquity airgrid, with a static route