CVE-2025-28170 – Grandstream GXP1628 IP phones with firmware ver... (How to Fix)

Q: How do I fix CVE-2025-28170?

1. Check Grandstream website for firmware updates. 2. Download latest firmware. 3. Upload via web interface. 4. Apply update. 5. Verify directory listing is disabled.

Q: What is the severity of CVE-2025-28170?

CVE-2025-28170 has a CVSS score of 7.6 (HIGH). Grandstream GXP1628 IP phones with firmware version 1.0.4.130 or earlier have directory listing enabled by default, allowing attackers to browse sensitive files without authentication. This affects all organizations using these devices with vulnerable firmware. Attackers can access configuration files, logs, and potentially credentials.

📋 TL;DR

Grandstream GXP1628 IP phones with firmware version 1.0.4.130 or earlier have directory listing enabled by default, allowing attackers to browse sensitive files without authentication. This affects all organizations using these devices with vulnerable firmware. Attackers can access configuration files, logs, and potentially credentials.

💻 Affected Systems

Products:

Grandstream GXP1628

Versions: <= 1.0.4.130

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations with vulnerable firmware are affected. Directory listing is enabled by default.

📦 What is this software?

Gxp1628 Firmware by Grandstream

View all CVEs affecting Gxp1628 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full access to device configuration, extract credentials, pivot to internal networks, and compromise other systems.

🟠

Likely Case

Unauthorized users access sensitive configuration files, potentially obtaining credentials for other systems or learning internal network details.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the device itself without lateral movement.

🌐 Internet-Facing: HIGH - If devices are exposed to the internet, attackers can directly exploit this without any authentication.

🏢 Internal Only: MEDIUM - Internal attackers or malware could still exploit this to gather credentials and pivot within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web browser access to device IP. The GitHub gist demonstrates directory traversal.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://grandstream.com

Restart Required: No

Instructions:

1. Check Grandstream website for firmware updates. 2. Download latest firmware. 3. Upload via web interface. 4. Apply update. 5. Verify directory listing is disabled.

🔧 Temporary Workarounds

Disable Directory Listing via Configuration

all

Modify web server configuration to disable directory browsing

Network Access Control

all

Restrict web interface access to trusted IPs only

🧯 If You Can't Patch

Segment devices on isolated VLAN with strict firewall rules
Implement network monitoring for unusual access patterns to device web interfaces

🔍 How to Verify

Check if Vulnerable:

Access device IP in browser, attempt to navigate to known directories like /tmp or /var. If directory contents are displayed, device is vulnerable.

Check Version:

Login to web interface > System Status > Firmware Version

Verify Fix Applied:

After applying workarounds, attempt same directory access. Should receive 403 Forbidden or similar error instead of directory listing.

📡 Detection & Monitoring

Log Indicators:

Multiple 200 OK responses to directory paths
Access to sensitive file paths without authentication

Network Indicators:

HTTP requests to device IP with directory traversal patterns
Unusual traffic to device web interface from external IPs

SIEM Query:

source="web_logs" AND (uri="*/" OR uri="*?C=*" OR uri="*?M=*") AND response="200" AND user_agent!="Grandstream"

📊 Metadata

CVE ID: CVE-2025-28170

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-548

EPSS Score: 0.08% exploit probability (22.7th percentile)

Published: July 29, 2025

Last Updated: August 6, 2025

🔗 References

http://grandstream.com Product
https://gist.github.com/Exek1el/928ea6fd06d3b48c1c91cfdc30317d8d Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28170, you might also want to check these: