CVE-2020-5757
Last modified
CVE-2020-5757 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.. EPSS estimates a 6.93% chance of exploitation in the next 30 days.
Description
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Grandstream | Ucm6202 Firmware | <= 1.0.20.23 |
| Grandstream | Ucm6204 Firmware | <= 1.0.20.23 |
| Grandstream | Ucm6208 Firmware | <= 1.0.20.23 |
References
- https://www.tenable.com/security/research/tra-2020-42Not Applicable
- https://www.tenable.com/cve/CVE-2020-5757Third Party Advisory
- https://www.tenable.com/security/research/tra-2020-42Not Applicable
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-5757?
How severe is CVE-2020-5757?
How do I fix CVE-2020-5757?
Are you affected by CVE-2020-5757?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST