Cyber Resilience

CVE-2020-5722

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 23 March 2020

Published
23 March 2020
Modified
31 October 2025
KEV Added
28 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9274 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-5722 is a critical-severity SQL Injection (CWE-89) vulnerability in Grandstream Ucm6200 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is an unauthenticated remote SQL injection flaw, tracked as CVE-2020-5722 with CVSS 9.8 and CWE-89, present in the HTTP interface of the Grandstream UCM6200 series IP PBX appliances. It is triggered by specially crafted HTTP requests and affects versions prior to 1.0.19.20 for command execution impact and prior to 1.0.20.17 for HTML injection impact.

An unauthenticated remote attacker can supply malicious input over the network to exploit the SQL injection, resulting in the ability to execute arbitrary shell commands with root privileges on vulnerable firmware or to inject arbitrary HTML content into password-recovery emails.

Public exploit code and technical details have been published on PacketStorm and in Tenable research advisory TRA-2020-15, confirming that the issues can be triggered without authentication or user interaction; mitigation requires updating the affected UCM6200 devices to the fixed firmware releases noted in the vulnerability description.

EU & UK References

Vulnerability details

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in…

more

password recovery emails in versions before 1.0.20.17.

CWE(s)
KEV Date Added
28 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

grandstream
ucm6200 firmware
≤ 1.0.19.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the crafted HTTP inputs that trigger the unauthenticated SQL injection (CWE-89).

prevent

Enforces authentication and authorization on the HTTP interface so unauthenticated remote attackers cannot reach the vulnerable endpoints.

prevent

Requires timely application of the vendor firmware updates (1.0.19.20 / 1.0.20.17) that eliminate the SQL-injection flaw.

References