Grandstream UCM Series IP PBX Vulnerable to Parameter Injection Attack
CVE-2024-0840

8.8HIGH

Key Information:

Vendor: Grandstream
Status: Ucm Series
Vendor: CVE Published:; 29 April 2024

🔔 Create Grandstream Vulnerability Alert

What is CVE-2024-0840?

The Grandstream UCM Series IP PBX, prior to firmware version 1.0.20.52, is impacted by a parameter injection vulnerability within its HTTP interface. This flaw enables remote and authenticated attackers to execute arbitrary code by issuing specially crafted HTTP requests. Authentication may be compromised through default credentials. Critical vulnerabilities such as this underscore the importance of timely updates and close monitoring of affected models, including UCM6202, UCM6204, UCM6208, and UCM6510.

Affected Version(s)

UCM Series 0

References

https://vulncheck.com/advisories/grand-stream-param-injec...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2024

Credit

Jacob Baines (VulnCheck)