CVE-2020-5757: OS Command Injection
First published: Fri Jul 17 2020(Updated: )
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.
Credit: vulnreport@tenable.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grandstream UCM Series IP PBX | <=1.0.20.23 | |
| Grandstream UCM Series IP PBX | ||
| Grandstream UCM Series IP PBX | <=1.0.20.23 | |
| Grandstream UCM Series IP PBX | ||
| Grandstream UCM Series IP PBX | <=1.0.20.23 | |
| Grandstream UCM Series IP PBX |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-5757?
CVE-2020-5757 is a vulnerability in the Grandstream UCM6200 series firmware that allows an authenticated remote attacker to execute commands as the root user.
What is the severity of CVE-2020-5757?
CVE-2020-5757 has a severity rating of 9.8, which is considered critical.
How does CVE-2020-5757 work?
CVE-2020-5757 exploits an OS command injection vulnerability via HTTP in the Grandstream UCM6200 series firmware.
Which versions of Grandstream UCM6200 firmware are affected?
Grandstream UCM6200 firmware version 1.0.20.23 and below are affected by CVE-2020-5757.
Is the Grandstream UCM6202 affected by CVE-2020-5757?
Yes, the Grandstream UCM6202 firmware version 1.0.20.23 and below are vulnerable to CVE-2020-5757.
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/severity
- agent/softwarecombine
- agent/description
- agent/type
- agent/tags
- agent/event
- vendor/grandstream
- canonical/grandstream ucm series ip pbx
- version/grandstream ucm series ip pbx/1.0.20.23