CVE-2020-5722
Published: 23 March 2020
Summary
CVE-2020-5722 is a critical-severity SQL Injection (CWE-89) vulnerability in Grandstream Ucm6200 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is an unauthenticated remote SQL injection flaw, tracked as CVE-2020-5722 with CVSS 9.8 and CWE-89, present in the HTTP interface of the Grandstream UCM6200 series IP PBX appliances. It is triggered by specially crafted HTTP requests and affects versions prior to 1.0.19.20 for command execution impact and prior to 1.0.20.17 for HTML injection impact.
An unauthenticated remote attacker can supply malicious input over the network to exploit the SQL injection, resulting in the ability to execute arbitrary shell commands with root privileges on vulnerable firmware or to inject arbitrary HTML content into password-recovery emails.
Public exploit code and technical details have been published on PacketStorm and in Tenable research advisory TRA-2020-15, confirming that the issues can be triggered without authentication or user interaction; mitigation requires updating the affected UCM6200 devices to the fixed firmware releases noted in the vulnerability description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-26881
Vulnerability details
The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in…
more
password recovery emails in versions before 1.0.20.17.
- CWE(s)
- KEV Date Added
- 28 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the crafted HTTP inputs that trigger the unauthenticated SQL injection (CWE-89).
Enforces authentication and authorization on the HTTP interface so unauthenticated remote attackers cannot reach the vulnerable endpoints.
Requires timely application of the vendor firmware updates (1.0.19.20 / 1.0.20.17) that eliminate the SQL-injection flaw.