Description
The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://rt-solutions.de/wp-content/uploads/2016/04/CVE-2016-1518-insecure-provisioning.pdf
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/537818/100/0/threaded
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/136280/Grandstream-Wave-1.0.1.26-Man-In-The-Middle.html
Scores
CVSS v3
8.1
EPSS
0.0172
EPSS Percentile
74.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
Status
published
Products (1)
grandstream/wave
< 1.0.1.26
Published
Apr 21, 2017
Tracked Since
Feb 18, 2026