Light Dark
May 23, 2016 By Larry Loeb 2 min read

Ubiquiti Networks issued a security alert this week that advised users to update their airOS router firmware. This was in response to reports that the company’s routers had seen infections performed by a worm.

The alert noted that two different payloads are operating with the same exploit. However, the exploit in question was reported and patched in July 2015.

Updating the Ubiquiti OS

The company released version 5.6.5 of the airOS, which features some additional security improvements. These improvements include disabling custom scripts usage and enabling syslog by default.

The new OS version will remove the worm from devices. Ubiquiti also released a separate worm removal tool in the form of a Java JAR file.

The worm targets routers, access points and other devices running outdated versions of the airOS firmware. The underlying problem appears to be an arbitrary file upload vulnerability that can allow an unauthenticated attacker to gain access to the device through HTTP/HTTPS.

What the Worm Does

The worm functions by creating a self-replicating virus that gains entry through the use of the ogin.cgi file. The malware uses the default credentials for Ubiquiti devices to log into these routers.

It first leaves a copy of itself as well as a backdoor account on the device. Then it adds rules entries that prevent an admin user from accessing the administration panel through the Web interface and gains persistence on the system.

Finally, the worm downloads a copy of the open-source cURL utility, which it uses to spread to other routers, either on an internal network or the Internet.

Symantec thinks that the worm is not doing any actual damage — for now. “So far this malware doesn’t seem to perform any other activities beyond creating a backdoor account, blocking access to the device and spreading to other routers,” the firm wrote. “It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation.”

Lessons Learned

The takeaway here is how difficult network security is, particularly with regard to the Internet of Things (IoT).

Even though the exploit used by the worm was previously fixed, many routers are still unpatched and vulnerable. The secure maintenance of all the disparate elements of common networks will require a level of vigilance that many may not yet appreciate.

 |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature