Cambium Networks cnMaestro

Plan PatchCVSS 9.8ICS-CERT ICSA-22-132-04May 12, 2022

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Cambium Networks cnMaestro On-Premises contains multiple vulnerabilities (command injection, SQL injection, path traversal, use of dangerous functions) that allow remote attackers without authentication to execute arbitrary code, extract sensitive data, and gain complete control of the multi-tenant infrastructure. The vulnerabilities affect cnMaestro On-Premises versions 2.4.2 (before r29), 3.0.0 (before r34), and 3.0.3 (before r32). The cloud-hosted version (cnMaestro Cloud) has been patched by the vendor.

What this means

What could happen

An attacker could remotely take over your cnMaestro On-Premises management console without credentials, allowing them to exfiltrate sensitive data, compromise managed network devices, and disrupt your wireless infrastructure management and monitoring capabilities.

Who's at risk

Cambium Networks cnMaestro On-Premises users should be concerned. This product is a cloud management platform for wireless access points and networking equipment commonly deployed by ISPs, municipal broadband authorities, and enterprise networks to centrally manage distributed wireless infrastructure. If your organization uses cnMaestro On-Premises for wireless network management, you are affected.

How it could be exploited

An attacker could send crafted network requests to your cnMaestro server over HTTP/HTTPS exploiting the command injection, SQL injection, and path traversal flaws to execute arbitrary code as the application user. Once inside the management console, they gain access to all configured wireless devices and customer data stored in the multi-tenant database.

Prerequisites

Network access to cnMaestro On-Premises web interface (typically port 80/443)
No authentication required
cnMaestro On-Premises version 2.4.2-r28 or earlier, 3.0.0-r33 or earlier, or 3.0.3-r31 or earlier

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8 critical)affects wireless infrastructure management

Exploitability

Some exploitation risk — EPSS score 1.8%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

cnMaestro On-Premises: All< 2.4.2-r293.0.3-r32, 3.0.0-r34, or 2.4.2-r29

cnMaestro On-Premises: All< 3.0.0-r343.0.3-r32, 3.0.0-r34, or 2.4.2-r29

cnMaestro On-Premises: All< 3.0.3-r323.0.3-r32, 3.0.0-r34, or 2.4.2-r29

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXUpgrade cnMaestro On-Premises to version 3.0.3-r32, 3.0.0-r34, or 2.4.2-r29 (obtain patches from Cambium support portal)

WORKAROUNDIf you use cnMaestro Cloud (hosted version), no action needed—Cambium has already patched it

HARDENINGImmediately restrict network access to the cnMaestro management console—do not expose it directly to the Internet; place it behind a firewall and allow only administrative IP addresses

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf remote management access is required, use a VPN to reach the cnMaestro console; ensure the VPN is kept up to date

CVEs (7)

CVE-2022-1357 CVE-2022-1358 CVE-2022-1361 CVE-2022-1360 CVE-2022-1362 CVE-2022-1359 CVE-2022-1356

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/daebb09c-3aa8-4ee5-907e-88ee00e64023

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.