cbcvebase.
CVE-2020-5758
published 2020-07-17

CVE-2020-5758: Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can execute…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.38%
90.1th percentile
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can execute commands as the root user by sending a crafted HTTP GET to the UCM's "Old" HTTPS API.

Affected

3 ranges
VendorProductVersion rangeFixed in
grandstreamucm6202_firmware<= 1.0.20.23
grandstreamucm6204_firmware<= 1.0.20.23
grandstreamucm6208_firmware<= 1.0.20.23

Detection & IOCsextracted from sources · hover to see the quote

urlrecapi GET request with filedir parameter (Old HTTPS API)
port1271
  • Monitor for HTTP GET requests to the UCM6200 'Old' HTTPS API endpoint (recapi) containing shell metacharacters in the filedir parameter, which is the injection vector for CVE-2020-5758.
  • The exploit proof-of-concept spawns a reverse shell; detect unexpected outbound connections from UCM6200 devices, particularly to attacker-controlled hosts on non-standard ports such as 1271.
  • The 'Old' HTTPS API is not enabled by default; audit UCM6200 configurations to detect if this legacy API is enabled, as its presence significantly increases attack surface.
  • Commands executed via this vulnerability run as root; look for anomalous root-level process spawning from the UCM6200 web service process.
  • ·The vulnerable 'Old' HTTPS API is not enabled by default; exploitation requires it to be explicitly enabled in the device configuration.
  • ·Exploitation requires authentication; however, an authenticated attacker (even a low-privileged user) can achieve root OS command execution.
  • ·Affected firmware is version 1.0.20.23 and below on the Grandstream UCM6200 series; devices on newer firmware are not affected by this specific CVE.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.