Cambium ePMP 5GHz Force 300-25 Radio (Update A)

Monitor7.8ICS-CERT ICSA-23-348-01Dec 14, 2023

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A code execution vulnerability exists in Cambium ePMP Force 300-25 5GHz radio firmware version 4.7.0.1 (CWE-94). Successful exploitation allows an attacker with local access to execute arbitrary commands on the radio. This is not remotely exploitable. Cambium has not responded to CISA requests for mitigation and has not provided a patch for this product version.

What this means

What could happen

An attacker with local access to the ePMP Force 300-25 radio could execute arbitrary code, potentially disrupting wireless backhaul connectivity for distributed network sites or compromising the integrity of data transmitted over the radio link.

Who's at risk

Network operators using Cambium ePMP Force 300-25 5GHz radios for wireless backhaul should care about this issue. These radios are commonly used as point-to-point or point-to-multipoint links at remote cellular tower sites, water/electric utility substations, or distributed edge locations. The vulnerability affects anyone managing these devices with local or network access.

How it could be exploited

An attacker must have local access to the affected ePMP Force 300-25 radio (via physical proximity or local network access with user credentials). They can then exploit the code execution vulnerability to run commands on the device, allowing them to modify configurations, disrupt wireless links, or pivot to connected network infrastructure.

Prerequisites

Local or adjacent network access to the ePMP Force 300-25 radio
User-level credentials or physical access to the device
Device running firmware version 4.7.0.1

No patch availableNo authentication required for local exploitationLow complexity attackCode execution capability

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

ePMP Force 300-25: 4.7.0.14.7.0.1No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

WORKAROUNDContact Cambium customer support to request available mitigations or upgrade options for the ePMP Force 300-25

HARDENINGRestrict local and network access to ePMP Force 300-25 radios; ensure they are not accessible from the business network or internet

HARDENINGPlace ePMP Force 300-25 radios behind a firewall and on a segmented control system network separate from business systems

HARDENINGIf remote management is required, use a VPN with current security patches rather than direct network exposure

Mitigations - no patch available

0/1

ePMP Force 300-25: 4.7.0.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGApply principle of least privilege: grant only necessary personnel credentials to access the radio

CVEs (1)

CVE-2023-6691

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fb1ec91d-f210-447b-9f12-40f70430ff4f