CVE-2020-5722

CRITICAL KEV NUCLEI

Grandstream UCM6200 <1.0.19.20 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-5722 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 28, 2022. EIP tracks 2 public exploits from researchers including Jacob Baines, jbaines-r7, including a Metasploit module exploits/linux/http/grandstream_ucm62xx_sendemail_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets CVE-2020-5722, a remote command injection vulnerability in Grandstream UCM6202 devices. It leverages the `sendPasswordEmail` action in the CGI interface to inject a reverse shell payload via the `user_name` parameter.

Description

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.

Exploits (2)

exploitdb WORKING POC
by Jacob Baines · pythonwebappshardware
https://www.exploit-db.com/exploits/48247

This exploit targets CVE-2020-5722, a remote command injection vulnerability in Grandstream UCM6202 devices. It leverages the `sendPasswordEmail` action in the CGI interface to inject a reverse shell payload via the `user_name` parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Grandstream UCM6202 1.0.18.13
No auth needed
Prerequisites: Network access to the target device · Target device running vulnerable firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by jbaines-r7 · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/grandstream_ucm62xx_sendemail_rce.rb

This Metasploit module exploits an unauthenticated SQL injection (CVE-2020-5722) and command injection vulnerability in Grandstream UCM62xx IP PBX devices, allowing remote code execution as root. The exploit leverages the 'Forgot Password' feature to inject malicious commands via a Python script executed by the shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Grandstream UCM62xx IP PBX series (versions before 1.0.19.20)
No auth needed
Prerequisites: Network access to the target device · Target device running vulnerable firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Grandstream UCM6200 - SQL Injection
CRITICALby theamanrawat
Shodan: ssl:"Grandstream" "Set-Cookie: TRACKID"

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.8365
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-01-28
VulnCheck KEV 2020-04-03
InTheWild.io 2020-04-03
ENISA EUVD EUVD-2020-26881
CWE
CWE-89
Status published
Products (1)
grandstream/ucm6200_firmware < 1.0.19.20
Published Mar 23, 2020
KEV Added Jan 28, 2022
Tracked Since Feb 18, 2026