CVE-2025-14186
📋 TL;DR
A cross-site scripting (XSS) vulnerability in Grandstream GXP1625 VoIP phones allows attackers to inject malicious scripts via the vpn_ip parameter in the network status API. This affects organizations using these phones with the vulnerable firmware version. Remote exploitation is possible when the device's web interface is accessible.
💻 Affected Systems
- Grandstream GXP1625
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator credentials, takes full control of the phone system, or uses the phone as a pivot point into the internal network.
Likely Case
Session hijacking, credential theft from administrators accessing the web interface, or defacement of the network status page.
If Mitigated
Limited to minor UI disruption if proper network segmentation and access controls prevent external access to the web interface.
🎯 Exploit Status
Exploit code is publicly available. Attack requires no authentication and minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Monitor Grandstream security advisories for updates.
🔧 Temporary Workarounds
Disable web interface
allDisable the phone's web administration interface if not required for operations
Network segmentation
allPlace phones on isolated VLAN without internet access or external connectivity
🧯 If You Can't Patch
- Implement strict network access controls to prevent external access to phone web interfaces
- Deploy web application firewall (WAF) rules to block XSS payloads targeting the vpn_ip parameter
🔍 How to Verify
Check if Vulnerable:
Check firmware version via phone web interface > Status > System Status. If version is 1.0.7.4, device is vulnerable.Check Version:
No CLI command. Use web interface or check via Grandstream provisioning system.Verify Fix Applied:
Verify firmware version has been updated beyond 1.0.7.4 when patch becomes available.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /cgi-bin/api.values.post with suspicious vpn_ip parameter values containing script tags or JavaScript
Network Indicators:
- Unusual HTTP POST requests to phone IP addresses on port 80/443 with XSS payloads in parameters
SIEM Query:
source="phone_web_logs" AND uri="/cgi-bin/api.values.post" AND (param="vpn_ip" AND value MATCHES "<script|javascript:|onload=|onerror=")