cbcvebase.
CVE-2020-5726
published 2020-03-30

CVE-2020-5726: The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888. A remote unauthenticated attacker can invoke…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
4.23%
89.8th percentile
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords.

Affected

3 ranges
VendorProductVersion rangeFixed in
grandstreamucm6202_firmware< 1.0.20.221.0.20.22
grandstreamucm6204_firmware< 1.0.20.221.0.20.22
grandstreamucm6208_firmware< 1.0.20.221.0.20.22

Detection & IOCsextracted from sources · hover to see the quote

port8888
commandaction=challenge&user=<username>' AND LENGTH(user_password)=<n>--
commandaction=challenge&user=<username>' AND user_password LIKE '<prefix>%' AND substr(user_password,1,<n>) = '<prefix>'--
  • Monitor TCP port 8888 on Grandstream UCM6200 devices for inbound connections from untrusted/external hosts, as the CTI server on this port is the attack surface for CVE-2020-5726.
  • Detect SQL injection payloads in CTI protocol messages: look for the 'challenge' action containing single-quote characters followed by SQL keywords (AND, LIKE, substr, LENGTH) and comment sequences ('--') in the username field.
  • The exploit uses a length-prefixed binary framing (4-byte big-endian length header) over TCP to port 8888; anomalous repeated short TCP connections to port 8888 with payloads containing SQL keywords are indicative of exploitation attempts.
  • Differentiated server responses (status==0 vs non-zero) to crafted challenge requests are used for boolean-based blind SQL injection; detect repeated challenge requests from the same source IP with varying username payloads as a brute-force pattern.
  • The injected SQL targets the 'user_password' column in the 'users' table; inspect any WAF or database audit logs for queries referencing 'user_password' with LIKE/substr/LENGTH operators originating from the CTI interface.
  • ·The vulnerability affects Grandstream UCM6200 series firmware versions 1.0.20.20 and below; devices running version 1.0.20.22 or later are patched and should not be vulnerable.
  • ·The attack requires no authentication; any network-reachable host can exploit this vulnerability, making network-level access controls (firewall rules blocking port 8888 from untrusted networks) a critical compensating control.
  • ·User passwords are stored unencrypted (cleartext) in an SQLite database on the device (CVE-2020-5723), meaning successful SQL injection directly yields plaintext credentials without any further cracking step.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.