cbcvebase.
CVE-2022-2025
published 2022-09-23

CVE-2022-2025: an attacker with knowledge of user/pass of Grandstream GSD3710 in its 1.0.11.13 version, could overflow the stack since it doesn't check the param length…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.01%
89.3th percentile
an attacker with knowledge of user/pass of Grandstream GSD3710 in its 1.0.11.13 version, could overflow the stack since it doesn't check the param length before use the strcopy instruction. The explotation of this vulnerability may lead an attacker to execute a shell with full access.

Affected

6 ranges
VendorProductVersion rangeFixed in
grandstreamgds3710_firmware
grandstreamgrandstream_gsd3710
linuxlinux_kernel>= 0 < 4.15.0-246.2584.15.0-246.258
msrccbl2_kernel_5.15.182.1-1_on_cbl_mariner_2.0
msrccbl2_unbound_1.16.3-1_on_cbl_mariner_2.0
msrccm1_unbound_1.10.0-5_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

commandping AAAA...A<rop_chain>
versionGrandstream GSD3710 firmware 1.0.11.13
  • Monitor SSH (port 22) login attempts to Grandstream GSD3710 devices followed immediately by shell command execution — the exploit authenticates via SSH then sends an oversized 'ping' command payload (320+ bytes of padding) to trigger the stack overflow.
  • Detect SSH sessions to GSD3710 devices where a single command line exceeds ~320 bytes, particularly commands beginning with 'ping ' followed by a large buffer — this is the exact exploit trigger pattern.
  • Alert on post-exploitation 'id' command execution immediately after an oversized ping command on GSD3710 SSH sessions; the exploit checks for 'root' in the response to confirm shell access.
  • Flag repeated SSH connection attempts (brute-loop) to the same GSD3710 device — the exploit loops incrementing a counter until ROP chain succeeds, producing an unusual pattern of rapid SSH reconnections.
  • ·The exploit requires valid credentials (username + password) for the target device before the stack overflow can be triggered — this is an authenticated vulnerability, so credential hygiene and SSH access restrictions are critical mitigating controls.
  • ·The ROP chain uses a hardcoded libc base address (0x76bb8000), meaning the exploit is only reliable against firmware 1.0.11.13 and lower with no ASLR; different firmware versions or ASLR-enabled builds would require a different chain.
  • ·The exploit checks for and aborts on bad characters (0x0d, 0x0a, 0x3b, 0x7c, 0x20) in the payload — payloads containing these bytes will not be sent, which may affect signature-based detection relying on those characters.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv5.5MEDIUM
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.