CVE-2019-10655

CRITICAL EXPLOITED IN THE WILD

Grandstream GAC2500/GXP2200/GVC3202/GXV3275/GXV3240 < 1.0.3.219 - Unauthenticated RCE via getlogcat

Title source: llm

Exploitation Summary

CVE-2019-10655 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including alhazred, Brendan Scarvell, bcoles, including a Metasploit module exploits/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated command injection vulnerability in Grandstream GXV31XX IP phones via the 'settimezone' action, combined with a buffer overflow in 'phonecookie' to bypass authentication.

Description

Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.

Exploits (1)

metasploit WORKING POC GREAT

by alhazred, Brendan Scarvell, bcoles · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in Grandstream GXV31XX IP phones via the 'settimezone' action, combined with a buffer overflow in 'phonecookie' to bypass authentication.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Grandstream GXV31XX (GXV3175v2, GXV3140) with firmware versions 1.0.1.19 and 1.0.1.27

No auth needed

Prerequisites: Network access to the target device · Target device must be running vulnerable firmware

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory x_refsource_misc

https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1

Exploit, Third Party Advisory x_refsource_misc

https://github.com/scarvell/grandstream_exploits

View Exploit ZIP pw:eip

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/165643/Grandstream-GXV3175-Unauthenticated-Command-Execution.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/165931/Grandstream-GXV31XX-settimezone-Unauthenticated-Command-Execution.html

Scores

CVSS v3 9.8

EPSS 0.7244

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-10-14

InTheWild.io 2022-12-21

CWE

CWE-78 CWE-352 CWE-119

Status published

Products (5)

grandstream/gac2500_firmware < 1.0.3.35

grandstream/gvc3202_firmware < 1.0.3.51

grandstream/gxp2200_firmware < 1.0.3.27

grandstream/gxv3240_firmware < 1.0.3.219

grandstream/gxv3275_firmware < 1.0.3.219

Published Mar 30, 2019

Tracked Since Feb 18, 2026