Light Dark
May 23, 2016 By Larry Loeb 2 min read

Ubiquiti Networks issued a security alert this week that advised users to update their airOS router firmware. This was in response to reports that the company’s routers had seen infections performed by a worm.

The alert noted that two different payloads are operating with the same exploit. However, the exploit in question was reported and patched in July 2015.

Updating the Ubiquiti OS

The company released version 5.6.5 of the airOS, which features some additional security improvements. These improvements include disabling custom scripts usage and enabling syslog by default.

The new OS version will remove the worm from devices. Ubiquiti also released a separate worm removal tool in the form of a Java JAR file.

The worm targets routers, access points and other devices running outdated versions of the airOS firmware. The underlying problem appears to be an arbitrary file upload vulnerability that can allow an unauthenticated attacker to gain access to the device through HTTP/HTTPS.

What the Worm Does

The worm functions by creating a self-replicating virus that gains entry through the use of the ogin.cgi file. The malware uses the default credentials for Ubiquiti devices to log into these routers.

It first leaves a copy of itself as well as a backdoor account on the device. Then it adds rules entries that prevent an admin user from accessing the administration panel through the Web interface and gains persistence on the system.

Finally, the worm downloads a copy of the open-source cURL utility, which it uses to spread to other routers, either on an internal network or the Internet.

Symantec thinks that the worm is not doing any actual damage — for now. “So far this malware doesn’t seem to perform any other activities beyond creating a backdoor account, blocking access to the device and spreading to other routers,” the firm wrote. “It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation.”

Lessons Learned

The takeaway here is how difficult network security is, particularly with regard to the Internet of Things (IoT).

Even though the exploit used by the worm was previously fixed, many routers are still unpatched and vulnerable. The secure maintenance of all the disparate elements of common networks will require a level of vigilance that many may not yet appreciate.

 |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

March 26, 2025

We are moving!

< 1 min read - SecurityIntelligence.com is being sunset, but have no fear!We have a new home for all of your favorite security and X-Force content.Follow us to www.ibm.com/think to maintain access to the stories and news you love, both new and old.Security Intelligence will officially sunset on Friday, March 28, 2025. To access the latest security thought leadership, go here. To access the latest X-Force research, go here.If you are experiencing cybersecurity issues or an incident, contact X-Force® to help:US hotline: 1-888-241-9812 | Global hotline:…

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature