module
Grandstream UCM62xx IP PBX sendPasswordEmail RCE
| Disclosed |
|---|
| Mar 23, 2020 |
Disclosed
Mar 23, 2020
Description
This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and
a command injection vulnerability (technically, no assigned CVE but was inadvertently
patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX
series of devices. The vulnerabilities allow an unauthenticated remote attacker to
execute commands as root.
Exploitation happens in two stages:
1. An SQL injection during username lookup while executing the "Forgot Password" function.
2. A command injection that occurs after the user provided username is passed to a Python script
via the shell. Like so:
/bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
password '' `cat
This module affect UCM62xx versions before firmware version 1.0.19.20.
a command injection vulnerability (technically, no assigned CVE but was inadvertently
patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX
series of devices. The vulnerabilities allow an unauthenticated remote attacker to
execute commands as root.
Exploitation happens in two stages:
1. An SQL injection during username lookup while executing the "Forgot Password" function.
2. A command injection that occurs after the user provided username is passed to a Python script
via the shell. Like so:
/bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
password '' `cat
This module affect UCM62xx versions before firmware version 1.0.19.20.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.