cbcvebase.
CVE-2019-10655
published 2019-03-30

CVE-2019-10655: Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.35%
96.4th percentile
Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.

Affected

5 ranges
VendorProductVersion rangeFixed in
grandstreamgac2500_firmware<= 1.0.3.35
grandstreamgvc3202_firmware< 1.0.3.511.0.3.51
grandstreamgxp2200_firmware<= 1.0.3.27
grandstreamgxv3240_firmware< 1.0.3.2191.0.3.219
grandstreamgxv3275_firmware< 1.0.3.2191.0.3.219

Detection & IOCsextracted from sources · hover to see the quote

cookiephonecookie (alphanumeric, 93 characters in length)
url/manager?action=getlogcat
commandaction=getlogcat (priority field with shell metacharacters)
commandaction=settimezone (timezone parameter with injected commands)
  • Detect exploitation attempts by monitoring HTTP requests to /manager?action=getlogcat containing shell metacharacters in the 'priority' parameter, combined with an oversized or 93-character alphanumeric 'phonecookie' cookie value.
  • Detect exploitation attempts by monitoring HTTP requests to /manager?action=settimezone containing shell metacharacters or command injection payloads in the 'timezone' parameter.
  • Alert on HTTP requests to Grandstream lighttpd web interfaces where the 'phonecookie' cookie appears in an Accept HTTP header within an XMLHttpRequest, which is the CSRF/remote delivery vector for this exploit.
  • Flag unauthenticated requests to the /manager endpoint on Grandstream GAC2500, GXP2200, GVC3202, GXV3275, GXV3240, GXV3175, and GXV3140 devices, especially those carrying oversized phonecookie values (93+ alphanumeric characters).
  • ·The exploit chain requires two conditions simultaneously: a shell metacharacter injection in the vulnerable action parameter AND a 93-character alphanumeric phonecookie buffer overflow to bypass authentication. Detection rules should account for both conditions together to reduce false positives.
  • ·The Metasploit module targets GXV3175v2 (fw 1.0.1.19) and GXV3140 (fw 1.0.1.27) via the settimezone vector, while the NVD entry references getlogcat on GAC2500, GXP2200, GVC3202, GXV3275, and GXV3240. Detection coverage should span both action endpoints across all affected model families.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.