CVE-2020-5724
published 2020-03-30CVE-2020-5724: The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker…
PriorityP266high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
11.88%
95.6th percentile
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grandstream | ucm6202_firmware | < 1.0.20.22 | 1.0.20.22 |
| grandstream | ucm6204_firmware | < 1.0.20.22 | 1.0.20.22 |
| grandstream | ucm6208_firmware | < 1.0.20.22 | 1.0.20.22 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor WebSocket connections to the /websockify endpoint for SQL injection patterns in the username field of 'challenge' action requests — successful vs. unsuccessful queries return different HTTP status codes, indicating blind boolean-based SQLi enumeration. ↗
- →Alert on unauthenticated requests invoking the 'challenge' action on the UCM6200 websockify endpoint, especially from external/untrusted sources — exploitation requires no authentication. ↗
- →Look for high-frequency repeated WebSocket challenge requests to /websockify from a single source IP, consistent with automated blind SQL injection enumeration of the users table. ↗
- ·Passwords are stored in cleartext in the SQLite users table, meaning successful exploitation of the SQL injection directly yields plaintext credentials — no cracking required. ↗
- ·The vulnerability affects Grandstream UCM6200 series firmware before 1.0.20.22; devices running older firmware are fully exposed to unauthenticated credential dumping. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
2020-03-30
Published