CVE-2020-5757
CRITICALGrandstream UCM6200 <1.0.20.23 - Command Injection
Title source: llmDescription
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.
References (2)
Core 2
Core References
Not Applicable x_refsource_confirm
https://www.tenable.com/security/research/tra-2020-42
Third Party Advisory
https://www.tenable.com/cve/CVE-2020-5757
Scores
CVSS v3
9.8
EPSS
0.0693
EPSS Percentile
93.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (3)
grandstream/ucm6202_firmware
< 1.0.20.23
grandstream/ucm6204_firmware
< 1.0.20.23
grandstream/ucm6208_firmware
< 1.0.20.23
Published
Jul 17, 2020
Tracked Since
Feb 18, 2026