CVE-2020-5757
published 2020-07-17CVE-2020-5757: Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.93%
93.3th percentile
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grandstream | ucm6202_firmware | <= 1.0.20.23 | — |
| grandstream | ucm6204_firmware | <= 1.0.20.23 | — |
| grandstream | ucm6208_firmware | <= 1.0.20.23 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to the UCM6200 'New' HTTPS API recapi endpoint containing newline characters in the filedir parameter, which are used to bypass command injection mitigations. ↗
- →Alert on unexpected outbound or inbound TCP connections to/from UCM6200 devices on port 1270, indicative of a bindshell established via exploitation. ↗
- →Exploitation results in command execution as root on the UCM6200 device; monitor for unexpected root-level process spawning from the web service process. ↗
- ·Exploitation requires authentication; the attack surface is limited to authenticated users of the UCM6200 web interface. ↗
- ·Affected firmware is version 1.0.20.23 and below; devices running newer firmware are not vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2020-07-17
Published