CVE-2024-0840
📋 TL;DR
A parameter injection vulnerability in Grandstream UCM Series IP PBX allows authenticated remote attackers to execute arbitrary code via crafted HTTP requests. This affects UCM6202, UCM6204, UCM6208, and UCM6510 models running firmware before version 1.0.20.52. Attackers may leverage default credentials to gain authentication.
💻 Affected Systems
- Grandstream UCM6202
- Grandstream UCM6204
- Grandstream UCM6208
- Grandstream UCM6510
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root access, installing persistent backdoors, pivoting to internal networks, and exfiltrating sensitive data including call recordings and credentials.
Likely Case
Attacker gains shell access, installs cryptocurrency miners or ransomware, disrupts phone services, and accesses call data and configuration files.
If Mitigated
Attack fails due to strong authentication controls, network segmentation, and proper patching, resulting in no impact beyond failed login attempts.
🎯 Exploit Status
Exploitation requires authentication but default credentials may be present. Parameter injection to RCE is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.20.52
Vendor Advisory: https://www.grandstream.com/support/security-advisories
Restart Required: Yes
Instructions:
1. Backup configuration. 2. Download firmware 1.0.20.52 from Grandstream support portal. 3. Log into web interface. 4. Navigate to Maintenance > Upgrade. 5. Upload firmware file. 6. Wait for automatic reboot.
🔧 Temporary Workarounds
Change Default Credentials
allChange all default passwords to strong, unique credentials
Network Segmentation
allRestrict HTTP interface access to management networks only
🧯 If You Can't Patch
- Isolate device on separate VLAN with strict firewall rules allowing only necessary traffic
- Implement web application firewall (WAF) to block parameter injection attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface: System Status > System InformationCheck Version:
No CLI command - check via web interface at System Status > System InformationVerify Fix Applied:
Confirm firmware version shows 1.0.20.52 or higher in System Status > System Information📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to administrative endpoints
- Multiple failed login attempts followed by successful login
- Process execution logs showing unexpected commands
Network Indicators:
- HTTP traffic with unusual parameter values or encoding
- Outbound connections from PBX to unexpected external IPs
- Sudden increase in network traffic from PBX
SIEM Query:
source="grandstream-ucm" AND (http_method="POST" AND uri_path="/cgi-bin/*" AND (param_value="*;*" OR param_value="*|*" OR param_value="*`*"))