CVE-2020-5759
published 2020-07-17CVE-2020-5759: Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via SSH. An authenticated remote attacker can execute…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.20%
86.5th percentile
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via SSH. An authenticated remote attacker can execute commands as the root user by issuing a specially crafted "unset" command.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grandstream | ucm6202_firmware | <= 1.0.20.23 | — |
| grandstream | ucm6204_firmware | <= 1.0.20.23 | — |
| grandstream | ucm6208_firmware | <= 1.0.20.23 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor SSH sessions to Grandstream UCM6200 series devices for use of the 'unset' keyword in the config shell, which is the attack vector for CVE-2020-5759. ↗
- →Alert on unexpected outbound connections or bind shells spawned from the UCM6200 process space, consistent with post-exploitation activity following SSH command injection. ↗
- →Scope detection to Grandstream UCM6200 series firmware version 1.0.20.23 and below, as these are the affected versions. ↗
- ·Exploitation requires prior authentication; this is not an unauthenticated attack vector. Detection should focus on authenticated SSH sessions abusing the config shell. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2020-07-17
Published