CVE-2020-5758

HIGH

Grandstream UCM6200 <1.0.20.23 - Command Injection

Title source: llm

Description

Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can execute commands as the root user by sending a crafted HTTP GET to the UCM's "Old" HTTPS API.

References (2)

Core 2

Core References

Broken Link, Third Party Advisory x_refsource_confirm

https://www.tenable.com/security/research/tra-2020-42

Not Applicable

https://www.tenable.com/cve/CVE-2020-5758

Scores

CVSS v3 8.8

EPSS 0.0437

EPSS Percentile 90.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (3)

grandstream/ucm6202_firmware < 1.0.20.23

grandstream/ucm6204_firmware < 1.0.20.23

grandstream/ucm6208_firmware < 1.0.20.23

Published Jul 17, 2020

Tracked Since Feb 18, 2026