CVE-2010-5330

What is Ubiquiti AirOS?

AirOS is the embedded Linux-based operating system that powers Ubiquiti Networks' wireless networking equipment — including the AirMax line of outdoor wireless radios (NanoStation, Rocket, LiteBeam, PicoStation), widely used for point-to-point and point-to-multipoint wireless links in ISP last-mile deployments, enterprise wireless backhaul, and remote connectivity. AirOS devices typically run a lightweight embedded web server with CGI scripts for device management. The devices are deployed at outdoor locations (on towers, rooftops, and poles) and are often internet-accessible for remote management — making vulnerabilities in their web management interface directly reachable from the internet without physical access.

Overview

CVE-2010-5330 is a critical-severity command injection vulnerability (CWE-77, CVSS 9.8) in Ubiquiti AirOS. The stainfo.cgi CGI script on the AirOS web management interface processes GET request parameters without adequate input sanitization. An attacker can inject OS command metacharacters into these parameters, causing the embedded Linux system to execute arbitrary commands with the privileges of the web server process — typically root. This unauthenticated command injection requires only network access to the device's web management port. Despite exploiting devices from circa 2010, the CVE was not formally published until 2019, and CISA added it to KEV in April 2022 following documented botnet exploitation.

Affected Versions

Note: Specific firmware version ranges vary by device model. Consult Ubiquiti's security advisories for the exact patched firmware version for each affected device model.

Technical Details

The command injection vulnerability (CWE-77: Improper Neutralization of Special Elements used in a Command) exists in the stainfo.cgi CGI script, which is part of the AirOS web management interface. CGI scripts in embedded systems often pass user-supplied GET parameters directly to shell commands for device management operations — querying station status, interface information, or device configuration.

In the vulnerable AirOS CGI implementation, stainfo.cgi accepts GET request parameters and passes them to shell commands without stripping or escaping shell metacharacters (;, |, `, $(...), &&, etc.). An attacker can append shell command separators and additional commands to the GET request parameter values. The embedded shell interprets the injected metacharacters as command separators and executes the attacker's commands.

Because AirOS devices are embedded Linux systems running as root by default (a common characteristic of consumer and semi-consumer networking equipment), the CGI process executes with root privileges. Command injection into any CGI parameter provides a root shell on the embedded device.

The unauthenticated nature of the vulnerability — requiring no valid credentials to reach stainfo.cgi — means exploitation is available to any network-accessible attacker. On devices with internet-accessible management interfaces (often port 80 or 443), this translates to unauthenticated internet-reachable RCE.

The nine-year gap between the vulnerability's existence (~2010) and CVE assignment (2019) is characteristic of embedded/IoT vulnerabilities that were exploited in the wild for years before formal security research and CVE tracking caught up with them.

Discovery

Identified through security research into Ubiquiti AirOS device firmware. The vulnerability was likely known to network security practitioners and botnet operators for years before formal CVE assignment in 2019. Ubiquiti AirOS devices were targeted in multiple botnet campaigns throughout the 2010s, with attackers scanning for exposed management interfaces and exploiting CGI vulnerabilities to enlist devices into botnets or use them as network pivots.

Exploitation Context

Ubiquiti AirOS command injection vulnerabilities were extensively exploited in IoT botnet campaigns:

• Mirai and derivative botnets: AirOS devices were targeted by Mirai and post-Mirai IoT botnets that scanned the internet for devices with exploitable management interfaces. Compromised AirOS devices were incorporated into DDoS botnets or used as network proxies for further attacks.
• ISP infrastructure targeting: Ubiquiti AirMax equipment is widely used by wireless ISPs (WISPs) for customer-facing last-mile connectivity. Compromising WISP infrastructure provided attackers access to thousands of downstream customer networks and the ability to intercept unencrypted traffic.
• Default internet-exposed management: AirOS devices in ISP deployments were frequently configured with internet-accessible management interfaces (no management VLAN isolation), allowing direct unauthenticated exploitation from anywhere on the internet.
• Firmware update lag: Embedded networking devices are notoriously difficult to update at scale. ISPs managing hundreds or thousands of deployed AirOS radios rarely had systematic firmware update processes, leaving devices vulnerable for years after patches were available.
• Peer-to-peer link targeting: Compromised AirOS devices on point-to-point microwave links could be reconfigured to disrupt communication between sites or used to intercept traffic traversing the wireless link.

Remediation

1. Apply Ubiquiti firmware update: Install the latest Ubiquiti firmware for the specific AirOS device model, which addresses CVE-2010-5330 and other vulnerabilities.
2. Restrict management interface access: Block access to the AirOS web management interface (typically port 80/443) from the internet using firewall rules or ACLs. Limit management access to a dedicated management IP range or management VLAN.
3. Enable management VLAN isolation: Configure AirOS devices to place management traffic on an isolated VLAN, preventing lateral movement from compromised devices to the data plane.
4. Change default credentials: Ensure the admin password on all AirOS devices has been changed from the default. Weak or default credentials combined with an exposed management interface significantly increase exploitation risk.
5. Inventory and patch at scale: ISPs and enterprises managing large AirOS deployments should use Ubiquiti's UNMS/UISP network management platform to track firmware versions across all devices and deploy updates systematically.
6. Network monitoring: Monitor for unusual outbound connections from AirOS devices, which may indicate botnet command-and-control activity following compromise.