cbcvebase.
CVE-2020-5724
published 2020-03-30

CVE-2020-5724: The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker…

PriorityP266high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
11.88%
95.6th percentile
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords.

Affected

3 ranges
VendorProductVersion rangeFixed in
grandstreamucm6202_firmware< 1.0.20.221.0.20.22
grandstreamucm6204_firmware< 1.0.20.221.0.20.22
grandstreamucm6208_firmware< 1.0.20.221.0.20.22

Detection & IOCsextracted from sources · hover to see the quote

url/websockify
port8888
  • Monitor WebSocket connections to the /websockify endpoint for SQL injection patterns in the username field of 'challenge' action requests — successful vs. unsuccessful queries return different HTTP status codes, indicating blind boolean-based SQLi enumeration.
  • Alert on unauthenticated requests invoking the 'challenge' action on the UCM6200 websockify endpoint, especially from external/untrusted sources — exploitation requires no authentication.
  • Look for high-frequency repeated WebSocket challenge requests to /websockify from a single source IP, consistent with automated blind SQL injection enumeration of the users table.
  • ·Passwords are stored in cleartext in the SQLite users table, meaning successful exploitation of the SQL injection directly yields plaintext credentials — no cracking required.
  • ·The vulnerability affects Grandstream UCM6200 series firmware before 1.0.20.22; devices running older firmware are fully exposed to unauthenticated credential dumping.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.