CVE-2020-5726
published 2020-03-30CVE-2020-5726: The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888. A remote unauthenticated attacker can invoke…
PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
4.23%
89.8th percentile
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grandstream | ucm6202_firmware | < 1.0.20.22 | 1.0.20.22 |
| grandstream | ucm6204_firmware | < 1.0.20.22 | 1.0.20.22 |
| grandstream | ucm6208_firmware | < 1.0.20.22 | 1.0.20.22 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=challenge&user=<username>' AND user_password LIKE '<prefix>%' AND substr(user_password,1,<n>) = '<prefix>'--↗
- →Monitor TCP port 8888 on Grandstream UCM6200 devices for inbound connections from untrusted/external hosts, as the CTI server on this port is the attack surface for CVE-2020-5726. ↗
- →Detect SQL injection payloads in CTI protocol messages: look for the 'challenge' action containing single-quote characters followed by SQL keywords (AND, LIKE, substr, LENGTH) and comment sequences ('--') in the username field. ↗
- →The exploit uses a length-prefixed binary framing (4-byte big-endian length header) over TCP to port 8888; anomalous repeated short TCP connections to port 8888 with payloads containing SQL keywords are indicative of exploitation attempts. ↗
- →Differentiated server responses (status==0 vs non-zero) to crafted challenge requests are used for boolean-based blind SQL injection; detect repeated challenge requests from the same source IP with varying username payloads as a brute-force pattern. ↗
- →The injected SQL targets the 'user_password' column in the 'users' table; inspect any WAF or database audit logs for queries referencing 'user_password' with LIKE/substr/LENGTH operators originating from the CTI interface. ↗
- ·The vulnerability affects Grandstream UCM6200 series firmware versions 1.0.20.20 and below; devices running version 1.0.20.22 or later are patched and should not be vulnerable. ↗
- ·The attack requires no authentication; any network-reachable host can exploit this vulnerability, making network-level access controls (firewall rules blocking port 8888 from untrusted networks) a critical compensating control. ↗
- ·User passwords are stored unencrypted (cleartext) in an SQLite database on the device (CVE-2020-5723), meaning successful SQL injection directly yields plaintext credentials without any further cracking step. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://packetstormsecurity.com/files/156977/Grandstream-UCM6200-Series-CTI-Interface-SQL-Injection.htmlhttps://www.tenable.com/security/research/tra-2020-17http://packetstormsecurity.com/files/156977/Grandstream-UCM6200-Series-CTI-Interface-SQL-Injection.htmlhttps://www.tenable.com/security/research/tra-2020-17
2020-03-30
Published