CVE-2022-0138

7.5 HIGH

Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote code execution through insecure deserialization in Cambium Networks wireless devices. Attackers can send specially crafted data to create arbitrary classes and execute code on affected devices. Organizations using Cambium MMP, PTP C-series, or PTMP C-series/A5x devices are affected.

💻 Affected Systems

Products:

• Cambium Networks MMP
• Cambium Networks PTP C-series
• Cambium Networks PTMP C-series
• Cambium Networks PTMP A5x

Versions: MMP: All versions prior to v1.0.3; PTP C-series: All versions prior to v2.8.6.1; PTMP C-series and A5x: All versions prior to v2.5.4.1

Operating Systems: Embedded firmware on Cambium wireless devices

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

A5x Firmware by Airspan

View all CVEs affecting A5x Firmware →

C5c Firmware by Airspan

View all CVEs affecting C5c Firmware →

C5x Firmware by Airspan

View all CVEs affecting C5x Firmware →

C6x Firmware by Airspan

View all CVEs affecting C6x Firmware →

Mimosa Management Platform by Airspan

View all CVEs affecting Mimosa Management Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, network pivoting, and disruption of wireless connectivity services.

🟠

Likely Case

Remote code execution leading to device takeover, configuration modification, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Directly exploitable over network without authentication if devices are exposed to internet.

🏢 Internal Only: MEDIUM - Still exploitable from internal network segments but requires initial network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted serialized data to the vulnerable deserialization function. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MMP: v1.0.3; PTP C-series: v2.8.6.1; PTMP C-series and A5x: v2.5.4.1

Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-22-034-02

Restart Required: Yes

Instructions:

1. Download latest firmware from Cambium support portal. 2. Backup current configuration. 3. Upload and install firmware update via device web interface or CLI. 4. Reboot device. 5. Verify firmware version after reboot.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in separate VLANs with strict firewall rules limiting access to management interfaces.

Access Control Lists

all

Implement network ACLs to restrict access to device management interfaces to authorized IP addresses only.

🧯 If You Can't Patch

• Implement strict network segmentation to isolate affected devices from untrusted networks
• Deploy intrusion detection systems to monitor for exploitation attempts and anomalous traffic patterns

🔍 How to Verify

Check if Vulnerable:

Copy

Check device firmware version via web interface (System > Status) or CLI command 'show version' and compare against patched versions.

Check Version:

Copy

show version (CLI) or check System > Status in web interface

Verify Fix Applied:

Copy

Confirm firmware version matches or exceeds: MMP v1.0.3, PTP C-series v2.8.6.1, or PTMP C-series/A5x v2.5.4.1

📡 Detection & Monitoring

Log Indicators:

• Unusual process creation events
• Configuration changes not initiated by administrators
• Failed authentication attempts followed by successful access

Network Indicators:

• Unusual outbound connections from wireless devices
• Traffic patterns inconsistent with normal wireless operations
• Malformed serialization payloads sent to device management ports

SIEM Query:

Copy

source="cambium_device" AND (event_type="process_creation" OR event_type="config_change") AND user!="admin"

📊 Metadata

CVE ID: CVE-2022-0138

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-502

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

• https://www.cisa.gov/uscert/ics/advisories/icsa-22-034-02 Third Party Advisory,US Government Resource
• https://www.cisa.gov/uscert/ics/advisories/icsa-22-034-02 Third Party Advisory,US Government Resource

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0138, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)

CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)

CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)