Search criteria
6 vulnerabilities by grandstream
CVE-2026-2329 (GCVE-0-2026-2329)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:08 – Updated: 2026-02-18 14:50
VLAI?
Title
Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow
Summary
An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.
Severity ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Grandstream | GXP1610 |
Affected:
0 , ≤ 1.0.7.80
(semver)
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Credits
Stephen Fewer, Senior Principal Security Researcher at Rapid7
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2329",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T14:50:26.406047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T14:50:51.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GXP1610",
"vendor": "Grandstream",
"versions": [
{
"lessThanOrEqual": "1.0.7.80",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GXP1615",
"vendor": "Grandstream",
"versions": [
{
"lessThanOrEqual": "1.0.7.80",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GXP1620",
"vendor": "Grandstream",
"versions": [
{
"lessThanOrEqual": "1.0.7.80",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GXP1625",
"vendor": "Grandstream",
"versions": [
{
"lessThanOrEqual": "1.0.7.80",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GXP1628",
"vendor": "Grandstream",
"versions": [
{
"lessThanOrEqual": "1.0.7.80",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GXP1630",
"vendor": "Grandstream",
"versions": [
{
"lessThanOrEqual": "1.0.7.80",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stephen Fewer, Senior Principal Security Researcher at Rapid7"
}
],
"datePublic": "2026-02-18T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.\u003cbr\u003e"
}
],
"value": "An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T14:08:09.272Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://psirt.grandstream.com/"
},
{
"tags": [
"release-notes"
],
"url": "https://firmware.grandstream.com/Release_Note_GXP16xx_1.0.7.81.pdf"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/20983"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2026-2329",
"datePublished": "2026-02-18T14:08:09.272Z",
"dateReserved": "2026-02-11T09:26:52.179Z",
"dateUpdated": "2026-02-18T14:50:51.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14186 (GCVE-0-2025-14186)
Vulnerability from cvelistv5 – Published: 2025-12-07 07:32 – Updated: 2025-12-08 17:12
VLAI?
Title
Grandstream GXP1625 Network Status api.values.post cross site scripting
Summary
A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grandstream | GXP1625 |
Affected:
1.0.7.4
|
Credits
cccll (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T17:03:17.876643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T17:12:50.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Network Status Page"
],
"product": "GXP1625",
"vendor": "Grandstream",
"versions": [
{
"status": "affected",
"version": "1.0.7.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "cccll (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "Basic Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-07T07:32:06.898Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-334606 | Grandstream GXP1625 Network Status api.values.post cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.334606"
},
{
"name": "VDB-334606 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.334606"
},
{
"name": "Submit #698650 | Grandstream GXP1625 1.0.7.4 xss",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.698650"
},
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/1rsskCaj4TwiaGG9_VYabjnKMP_zAry7L/view?usp=sharing"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-06T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-06T15:06:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "Grandstream GXP1625 Network Status api.values.post cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-14186",
"datePublished": "2025-12-07T07:32:06.898Z",
"dateReserved": "2025-12-06T14:01:21.254Z",
"dateUpdated": "2025-12-08T17:12:50.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32937 (GCVE-0-2024-32937)
Vulnerability from cvelistv5 – Published: 2024-07-03 14:05 – Updated: 2025-11-04 17:20
VLAI?
Summary
An os command injection vulnerability exists in the CWMP SelfDefinedTimeZone functionality of Grandstream GXP2135 1.0.9.129, 1.0.11.74 and 1.0.11.79. A specially crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.
Severity ?
8.1 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grandstream | GXP2135 |
Affected:
1.0.11.74
Affected: 1.0.11.79 Affected: 1.0.9.129 |
Credits
Discovered by Matthew Bernath of Cisco Talos.
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:grandstream:gxp2135_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "gxp2135_firmware",
"vendor": "grandstream",
"versions": [
{
"status": "affected",
"version": "1.0.11.74"
},
{
"status": "affected",
"version": "1.0.11.79"
},
{
"status": "affected",
"version": "1.0.9.129"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T14:16:57.228461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T14:59:05.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:20:20.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1978",
"tags": [
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1978"
},
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1978"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GXP2135",
"vendor": "Grandstream",
"versions": [
{
"status": "affected",
"version": "1.0.11.74"
},
{
"status": "affected",
"version": "1.0.11.79"
},
{
"status": "affected",
"version": "1.0.9.129"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Matthew Bernath of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"value": "An os command injection vulnerability exists in the CWMP SelfDefinedTimeZone functionality of Grandstream GXP2135 1.0.9.129, 1.0.11.74 and 1.0.11.79. A specially crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T17:00:11.294Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1978",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1978"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2024-32937",
"datePublished": "2024-07-03T14:05:35.575Z",
"dateReserved": "2024-04-19T20:26:32.967Z",
"dateUpdated": "2025-11-04T17:20:20.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0840 (GCVE-0-2024-0840)
Vulnerability from cvelistv5 – Published: 2024-04-29 18:42 – Updated: 2024-08-01 18:18
VLAI?
Title
Grandstream UCM Series IP PBX HTTP Parameter Injection
Summary
The Grandstream UCM Series IP PBX before firmware version 1.0.20.52 is affected by a parameter injection vulnerability in the HTTP interface. A remote and authenticated attacker can execute arbitrary code by sending a crafted HTTP request. Authentication may be possible using a default user and password. Affected models are the UCM6202, UCM6204, UCM6208, and UCM6510.
Severity ?
8.8 (High)
CWE
- CWE-141 - Improper Neutralization of Parameter/Argument Delimiters
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grandstream | UCM Series |
Affected:
0 , < <1.0.20.52
(custom)
|
Credits
Jacob Baines (VulnCheck)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:grandstream:ucm6202_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ucm6202_firmware",
"vendor": "grandstream",
"versions": [
{
"lessThan": "1.0.20.52",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:grandstream:ucm6204_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ucm6204_firmware",
"vendor": "grandstream",
"versions": [
{
"lessThan": "1.0.20.52",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:grandstream:ucm6208_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ucm6208_firmware",
"vendor": "grandstream",
"versions": [
{
"lessThan": "1.0.20.52",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:grandstream:ucm6510_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ucm6510_firmware",
"vendor": "grandstream",
"versions": [
{
"lessThan": "1.0.20.52",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T19:17:53.854809Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T13:09:24.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:18:18.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://vulncheck.com/advisories/grand-stream-param-injection"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UCM Series",
"vendor": "Grandstream",
"versions": [
{
"lessThan": "\u003c1.0.20.52",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jacob Baines (VulnCheck)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Grandstream UCM Series IP PBX before firmware version 1.0.20.52 is affected by a parameter injection vulnerability in the HTTP interface. A remote and authenticated attacker can execute arbitrary code by sending a crafted HTTP request. Authentication may be possible using a default user and password. Affected models are the UCM6202, UCM6204, UCM6208, and UCM6510.\u003cbr\u003e"
}
],
"value": "The Grandstream UCM Series IP PBX before firmware version 1.0.20.52 is affected by a parameter injection vulnerability in the HTTP interface. A remote and authenticated attacker can execute arbitrary code by sending a crafted HTTP request. Authentication may be possible using a default user and password. Affected models are the UCM6202, UCM6204, UCM6208, and UCM6510.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-141",
"description": "CWE-141 Improper Neutralization of Parameter/Argument Delimiters",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-29T18:42:57.112Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"url": "https://vulncheck.com/advisories/grand-stream-param-injection"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to firmware version 1.0.20.52 or later. Ensure the web interface is not exposed to the internet.\u003cbr\u003e"
}
],
"value": "Upgrade to firmware version 1.0.20.52 or later. Ensure the web interface is not exposed to the internet.\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2024-01-25T17:00:00.000Z",
"value": "VulnCheck reports the vulnerability to Grandstream"
},
{
"lang": "en",
"time": "2024-01-26T02:00:00.000Z",
"value": "Grandstream acknowledges receipt"
},
{
"lang": "en",
"time": "2024-02-08T04:42:00.000Z",
"value": "Grandstream shares a patch build"
},
{
"lang": "en",
"time": "2024-04-26T04:11:00.000Z",
"value": "Grandstream releases 1.0.20.52"
}
],
"title": "Grandstream UCM Series IP PBX HTTP Parameter Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2024-0840",
"datePublished": "2024-04-29T18:42:57.112Z",
"dateReserved": "2024-01-23T21:10:19.364Z",
"dateUpdated": "2024-08-01T18:18:18.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2070 (GCVE-0-2022-2070)
Vulnerability from cvelistv5 – Published: 2022-09-23 15:06 – Updated: 2025-05-22 18:23
VLAI?
Title
Grandstream GSD3710 Stack-based Buffer Overflow
Summary
In Grandstream GSD3710 in its 1.0.11.13 version, it's possible to overflow the stack since it doesn't check the param length before using the sscanf instruction. Because of that, an attacker could create a socket and connect with a remote IP:port by opening a shell and getting full access to the system. The exploit affects daemons dbmng and logsrv that are running on ports 8000 and 8001 by default.
Severity ?
9.8 (Critical)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grandstream | Grandstream GSD3710 |
Affected:
1.0.11.13
|
Credits
José Luis Verdeguer Navarro
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.219Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.incibe-cert.es/en/early-warning/security-advisories/buffer-overflow-vulnerabilities-grandstream-gsd3710"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T15:40:26.864319Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:23:28.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grandstream GSD3710",
"vendor": "Grandstream",
"versions": [
{
"status": "affected",
"version": "1.0.11.13"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jos\u00e9 Luis Verdeguer Navarro"
}
],
"datePublic": "2022-09-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Grandstream GSD3710 in its 1.0.11.13 version, it\u0027s possible to overflow the stack since it doesn\u0027t check the param length before using the sscanf instruction. Because of that, an attacker could create a socket and connect with a remote IP:port by opening a shell and getting full access to the system. The exploit affects daemons dbmng and logsrv that are running on ports 8000 and 8001 by default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-23T15:06:57.000Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.incibe-cert.es/en/early-warning/security-advisories/buffer-overflow-vulnerabilities-grandstream-gsd3710"
}
],
"solutions": [
{
"lang": "en",
"value": "This vulnerability has been solved by Grandstream in the 1.0.11.23 version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Grandstream GSD3710 Stack-based Buffer Overflow",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-coordination@incibe.es",
"DATE_PUBLIC": "2022-09-20T08:00:00.000Z",
"ID": "CVE-2022-2070",
"STATE": "PUBLIC",
"TITLE": "Grandstream GSD3710 Stack-based Buffer Overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Grandstream GSD3710",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "1.0.11.13",
"version_value": "1.0.11.13"
}
]
}
}
]
},
"vendor_name": "Grandstream"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jos\u00e9 Luis Verdeguer Navarro"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Grandstream GSD3710 in its 1.0.11.13 version, it\u0027s possible to overflow the stack since it doesn\u0027t check the param length before using the sscanf instruction. Because of that, an attacker could create a socket and connect with a remote IP:port by opening a shell and getting full access to the system. The exploit affects daemons dbmng and logsrv that are running on ports 8000 and 8001 by default."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.incibe-cert.es/en/early-warning/security-advisories/buffer-overflow-vulnerabilities-grandstream-gsd3710",
"refsource": "CONFIRM",
"url": "https://www.incibe-cert.es/en/early-warning/security-advisories/buffer-overflow-vulnerabilities-grandstream-gsd3710"
}
]
},
"solution": [
{
"lang": "en",
"value": "This vulnerability has been solved by Grandstream in the 1.0.11.23 version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2022-2070",
"datePublished": "2022-09-23T15:06:57.101Z",
"dateReserved": "2022-06-13T00:00:00.000Z",
"dateUpdated": "2025-05-22T18:23:28.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2025 (GCVE-0-2022-2025)
Vulnerability from cvelistv5 – Published: 2022-09-23 15:06 – Updated: 2025-05-22 19:59
VLAI?
Title
Grandstream GSD3710 Stack-based Buffer Overflow
Summary
an attacker with knowledge of user/pass of Grandstream GSD3710 in its 1.0.11.13 version, could overflow the stack since it doesn't check the param length before use the strcopy instruction. The explotation of this vulnerability may lead an attacker to execute a shell with full access.
Severity ?
9.8 (Critical)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grandstream | Grandstream GSD3710 |
Affected:
1.0.11.13
|
Credits
José Luis Verdeguer Navarro
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.incibe-cert.es/en/early-warning/security-advisories/buffer-overflow-vulnerabilities-grandstream-gsd3710"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T19:59:47.436118Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T19:59:54.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grandstream GSD3710",
"vendor": "Grandstream",
"versions": [
{
"status": "affected",
"version": "1.0.11.13"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jos\u00e9 Luis Verdeguer Navarro"
}
],
"datePublic": "2022-09-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "an attacker with knowledge of user/pass of Grandstream GSD3710 in its 1.0.11.13 version, could overflow the stack since it doesn\u0027t check the param length before use the strcopy instruction. The explotation of this vulnerability may lead an attacker to execute a shell with full access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-23T15:06:54.000Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.incibe-cert.es/en/early-warning/security-advisories/buffer-overflow-vulnerabilities-grandstream-gsd3710"
}
],
"solutions": [
{
"lang": "en",
"value": "This vulnerability has been solved by Grandstream in the 1.0.11.23 version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Grandstream GSD3710 Stack-based Buffer Overflow",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-coordination@incibe.es",
"DATE_PUBLIC": "2022-09-20T08:00:00.000Z",
"ID": "CVE-2022-2025",
"STATE": "PUBLIC",
"TITLE": "Grandstream GSD3710 Stack-based Buffer Overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Grandstream GSD3710",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "1.0.11.13",
"version_value": "1.0.11.13"
}
]
}
}
]
},
"vendor_name": "Grandstream"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jos\u00e9 Luis Verdeguer Navarro"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "an attacker with knowledge of user/pass of Grandstream GSD3710 in its 1.0.11.13 version, could overflow the stack since it doesn\u0027t check the param length before use the strcopy instruction. The explotation of this vulnerability may lead an attacker to execute a shell with full access."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.incibe-cert.es/en/early-warning/security-advisories/buffer-overflow-vulnerabilities-grandstream-gsd3710",
"refsource": "CONFIRM",
"url": "https://www.incibe-cert.es/en/early-warning/security-advisories/buffer-overflow-vulnerabilities-grandstream-gsd3710"
}
]
},
"solution": [
{
"lang": "en",
"value": "This vulnerability has been solved by Grandstream in the 1.0.11.23 version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2022-2025",
"datePublished": "2022-09-23T15:06:54.166Z",
"dateReserved": "2022-06-08T00:00:00.000Z",
"dateUpdated": "2025-05-22T19:59:54.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}