CVE-2020-5723
published 2020-03-30CVE-2020-5723: The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.70%
92.1th percentile
The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grandstream | ucm6202_firmware | < 1.0.20.22 | 1.0.20.22 |
| grandstream | ucm6204_firmware | < 1.0.20.22 | 1.0.20.22 |
| grandstream | ucm6208_firmware | < 1.0.20.22 | 1.0.20.22 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for blind SQL injection attempts against the websockify WebSocket endpoint — differing server status codes on successful vs. unsuccessful queries are the oracle used by attackers to enumerate the users table. ↗
- →Alert on unauthenticated WebSocket connections to the /websockify endpoint invoking the 'challenge' or 'login' actions with anomalous or SQL-like username values, as these are the two injection points for CVE-2020-5724 and CVE-2020-5725. ↗
- →Monitor for unauthenticated connections to TCP port 8888 (CTI server) with SQL-like username payloads in the challenge action, as this is the CVE-2020-5726 injection vector. ↗
- →Identify Grandstream UCM62xx devices running firmware 1.0.20.22 or below, as these store plaintext passwords in SQLite and are the confirmed vulnerable population for CVE-2020-5723. ↗
- ·Passwords are stored in cleartext in the SQLite users table on affected devices, meaning any successful SQL injection (CVE-2020-5724/5725/5726) directly yields plaintext credentials without any cracking step. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
2020-03-30
Published