CVE-2020-5722 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2020-5722?

CVE-2020-5722 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute SQL injection via the HTTP interface of Grandstream UCM6200 series IP PBX systems. Successful exploitation can lead to remote command execution as root or HTML injection in password recovery emails. Organizations using affected Grandstream UCM6200 series devices with vulnerable firmware versions are at risk.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute SQL injection via the HTTP interface of Grandstream UCM6200 series IP PBX systems. Successful exploitation can lead to remote command execution as root or HTML injection in password recovery emails. Organizations using affected Grandstream UCM6200 series devices with vulnerable firmware versions are at risk.

💻 Affected Systems

Products:

Grandstream UCM6200 series IP PBX

Versions: Versions before 1.0.19.20 (for command injection) and before 1.0.20.17 (for HTML injection)

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable if HTTP interface is accessible. The vulnerability affects the web management interface.

📦 What is this software?

Ucm6200 Firmware by Grandstream

View all CVEs affecting Ucm6200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level remote code execution, allowing attackers to install persistent backdoors, exfiltrate sensitive data, disrupt telephony services, and pivot to other network systems.

🟠

Likely Case

Remote command execution leading to data theft, service disruption, and potential ransomware deployment on vulnerable systems exposed to the internet.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting the PBX system itself without lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts exist, making this easily weaponizable. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.19.20 or later for command injection, 1.0.20.17 or later for HTML injection

Vendor Advisory: https://www.grandstream.com/support/security-advisories

Restart Required: Yes

Instructions:

1. Download latest firmware from Grandstream support portal. 2. Backup current configuration. 3. Upload firmware via web interface. 4. Apply firmware update. 5. Reboot device. 6. Restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to UCM6200 HTTP interface to trusted management networks only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable HTTP Interface

linux

Disable HTTP management interface if not required, use HTTPS only

uci set uhttpd.main.listen_http=''
uci commit uhttpd
/etc/init.d/uhttpd restart

🧯 If You Can't Patch

Implement strict network access controls to limit HTTP interface access to trusted IP addresses only
Deploy a web application firewall (WAF) with SQL injection protection rules in front of the UCM6200

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: Login > System Status > Firmware Version. If version is below 1.0.19.20, system is vulnerable to command injection. If below 1.0.20.17, vulnerable to HTML injection.

Check Version:

curl -k https://<device_ip>/cgi-bin/api-sys_operation?passcode=admin | grep version

Verify Fix Applied:

Verify firmware version is 1.0.19.20 or higher and 1.0.20.17 or higher. Test HTTP interface with SQL injection payloads to confirm patching.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in web server logs
Multiple failed login attempts followed by successful SQL injection patterns
Unexpected system command execution logs

Network Indicators:

HTTP requests containing SQL injection patterns to UCM6200 management interface
Unusual outbound connections from UCM6200 to external IPs
Traffic spikes to/from UCM6200 HTTP ports

SIEM Query:

source="*ucm6200*" AND ("SELECT" OR "UNION" OR "' OR '1'='1" OR "exec(" OR "system(")

📊 Metadata

CVE ID: CVE-2020-5722

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 23, 2020

Last Updated: October 31, 2025

🔗 References

http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://www.tenable.com/security/research/tra-2020-15 Exploit,Third Party Advisory
http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://www.tenable.com/security/research/tra-2020-15 Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-5722, you might also want to check these: