CyberSec.Space Logo
Back to CVE Browser

CVE-2020-5722

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score64.1710%
EPSS Percentile95.29th
PublishedMar 23, 2020
Last ModifiedOct 31, 2025

Vulnerability Description

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.

Affected Platforms (CPE)

πŸ’»
Grandstream

Ucm6200 Firmware

< 1.0.19.20

References & Advisories

πŸ”— http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html
πŸ”— http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html
πŸ”— https://www.tenable.com/security/research/tra-2020-15
πŸ”— http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html
πŸ”— http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html
πŸ”— https://www.tenable.com/security/research/tra-2020-15
πŸ”— https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722

Related Vulnerabilities

CVE-2020-57579.8

Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated r...

CVE-2020-57599.8

Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via SSH. An authenticated re...

CVE-2020-57588.8

Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated r...

CVE-2026-121917.8

A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdri...