OTPulse
FeedAboutContact

Cambium Networks ePMP

Act Now7.6ICS-CERT ICSA-17-166-01Jun 15, 2017
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Cambium Networks ePMP wireless access points contain authorization bypass and improper access control vulnerabilities (CWE-284, CWE-269) that allow an authenticated attacker to access restricted configuration data and modify system settings. The vulnerability affects all ePMP models and no vendor fix is available. The vendor has not indicated plans to patch these devices, leaving operators dependent on compensating controls.

What this means
What could happen
An attacker with valid engineering credentials could access sensitive configuration data and modify system settings on ePMP wireless access points, potentially disrupting network connectivity to critical devices or exfiltrating operational data.
Who's at risk
Water utilities and electric utilities using Cambium Networks ePMP wireless access points for backhaul links, remote device connectivity, or site-to-site mesh networks. This affects any operation relying on these wireless bridges to connect field devices, SCADA RTUs, or remote terminal units to the main control network.
How it could be exploited
An attacker on the network or with remote access to the ePMP management interface authenticates with valid engineering credentials. Once logged in, they can read protected configuration files or modify system settings through the web interface or API, affecting wireless network operations.
Prerequisites
  • Network access to ePMP management port (typically 80/443)
  • Valid engineering workstation credentials or default/weak credentials if unchanged
  • ePMP device connected to network
No patch availableLow complexity exploitationValid credentials requiredRemotely exploitableHigh EPSS score (42.2%)
Exploitability
High exploit probability (EPSS 42.2%)
Affected products (1)
ProductAffected VersionsFix Status
ePMP: All ModelsAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGEnforce strong, unique engineering credentials on all ePMP devices and disable or change any default credentials
HARDENINGRestrict network access to ePMP management interfaces using firewall rules; limit administrative access to trusted engineering workstations or VPN
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and log all administrative access to ePMP devices for anomalous activity
Mitigations - no patch available
0/1
ePMP: All Models has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGEvaluate replacement or lifecycle plan for ePMP devices given no vendor patch availability
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/fd1ff7e9-290d-47f3-9d12-7d462ba09b0a
Cambium Networks ePMP | CVSS 7.6 - OTPulse