Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Undocumented Root-Privilege Web Shell in Cambium Networks cnPilot Firmware

IdentifiersCVE-2017-5259CWE-912

CVE-2017-5259 affects Cambium Networks cnPilot firmware 4.3.2-R4 and earlier. The vulnerability is the presence of an undocumented administrative web shell exposed at the HTTP path /adm/syscmd.asp. This interface provides root-privileged command execution functionality on the device. Because the issue is an exposed, undocumented administrative capability rather than a normal intended user-facing feature, an attacker who can reach the management web interface can abuse the syscmd.asp endpoint to execute system commands with root privileges on the affected device.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation provides root-level command execution on the affected cnPilot device. An attacker can fully compromise the device, alter configuration, execute arbitrary OS commands, install malware or botnet payloads, establish persistence, pivot through the network, and use the device for follow-on activity such as DDoS participation or proxying. Given the privilege level, impact is effectively complete compromise of confidentiality, integrity, and availability of the device.

Mitigation

If you can’t patch tonight, do this now.

Until patched, restrict access to the device management interface to trusted administrative networks only, using firewall or ACL controls. Do not expose the web administration interface to the public Internet. Monitor for requests to /adm/syscmd.asp and investigate any historical access. Where feasible, isolate affected devices, disable remote administration from untrusted networks, and rotate credentials and review device integrity in case of prior compromise.

Remediation

Patch, then assume compromise.

Upgrade Cambium Networks cnPilot firmware to a version newer than 4.3.2-R4 that removes or secures the undocumented /adm/syscmd.asp functionality. If vendor-fixed firmware is available, apply it across all affected devices. Review device exposure and configuration after upgrade to ensure the administrative interface is not unnecessarily reachable from untrusted networks.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
CambiumnetworksCnpilot E400 Firmwareoperating_system
CambiumnetworksCnpilot E410 Firmwareoperating_system
CambiumnetworksCnpilot E600 Firmwareoperating_system
CambiumnetworksCnpilot R190n Firmwareoperating_system
CambiumnetworksCnpilot R190v Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
secpod blogNews
Dec 4, 2025
AISURU Botnet: Inside the 29.7 Tbps Mega-Scale DDoS Weapon

A remote code execution vulnerability in Cambium Networks cnPilot R190V firmware, exploited for device takeover.

Read more
qianxin xlab blogNews
Jan 15, 2025
Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI

Unknown (listed as exploited by AIRASHI; no additional details provided in the content).

Read more
the hacker newsNews
Jan 8, 2025
Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

A security vulnerability exploited by Mirai botnet variants to compromise devices and expand botnet reach.

Read more
qianxin xlab blogNews
Jan 10, 2026
Gayfemboy: A Botnet Deliver Through a Four-Faith Industrial Router 0-day Exploit.

A named CVE included in Gayfemboy’s exploit set for propagation.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2017-5259
NVD
nvd.nist.gov/vuln/detail/CVE-2017-5259
MITRE CWE · CWE-912
cwe.mitre.org
Third Party Advisory
blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities