CVE-2020-5722 — Grandstream Networks UCM6200 Series SQL Injection Vulnerability

CVE-2020-5722

Grandstream UCM6200 IP PBX — Unauthenticated SQL Injection Leading to Root RCE

What is the Grandstream UCM6200 Series?

Grandstream UCM6200 is a series of IP PBX (Private Branch Exchange) appliances for unified communications — handling voice calls, video conferencing, voicemail, fax, and call routing in small-to-medium business and enterprise environments. Models include the UCM6202, UCM6204, UCM6208, and UCM6510. These devices are widely deployed as the phone system backbone for businesses, law firms, healthcare providers, and government offices. Because they handle sensitive voice communications and integrate with internal directory services, compromising a UCM6200 can yield access to call recordings, voicemail, corporate contacts, and potentially pivot points into the broader network.

Overview

CVE-2020-5722 is an unauthenticated SQL injection vulnerability (CWE-89) in the HTTP API of Grandstream UCM6200 series IP PBX appliances. A remote attacker with no credentials can send a crafted HTTP request to the device's web interface and inject arbitrary SQL commands into the backend database. Exploitation of the SQL injection leads to OS command execution as root — giving an attacker complete control of the PBX appliance and access to all communications data it handles.

Affected Versions

Product Vulnerable Firmware Fixed Firmware
Grandstream UCM6202, UCM6204, UCM6208, UCM6510 < 1.0.20.17 1.0.20.17+

Technical Details

The UCM6200 web management interface is powered by a custom web application backed by a database (SQLite). One or more API endpoints in the web interface accept HTTP parameters that are incorporated into SQL queries without proper parameterization or escaping. By crafting a request with SQL metacharacters (single quotes, UNION statements, stacked queries), an unauthenticated attacker can:

  1. Dump the database: Extract usernames, passwords, call logs, voicemail, and configuration data
  2. Execute OS commands: The SQLite database used by UCM6200 supports user-defined functions or leverages database features that allow OS command execution — either through SQLite's load_extension() or through the application's use of database data in subsequent shell operations

The resulting command execution occurs with root privileges because the web application process runs as root on the embedded Linux OS. No authentication cookie, session, or credentials are required.

Discovery

The vulnerability was discovered by researchers at Tenable and published in March 2020 alongside coordinated disclosure with Grandstream. Grandstream released patched firmware version 1.0.20.17 at the time of disclosure.

Exploitation Context

CISA added CVE-2020-5722 to the KEV catalog on January 28, 2022. UCM6200 devices are attractive targets because they sit on internal corporate networks, handle sensitive voice communications, and are often managed separately from standard IT security tooling — creating blind spots in enterprise monitoring. An attacker who roots a UCM6200 can:

  • Access call recordings and voicemail stored on the device
  • Intercept or redirect future calls
  • Use the device's internal network position to scan and attack adjacent systems
  • Exfiltrate the corporate phone directory and LDAP integration credentials

Many small-to-medium businesses running Grandstream UCM6200 devices have not consistently applied firmware updates, explaining the late KEV addition two years after the patch.

Remediation

  1. Upgrade firmware to 1.0.20.17 or later: Log into the UCM6200 admin interface and apply the update under Maintenance → Upgrade.
  2. Restrict web interface access: Configure the UCM6200's firewall rules (System Settings → Network Settings → Packet Filter) to allow web interface access only from trusted internal management hosts — not the full internal network or internet.
  3. Disable web interface from WAN: If the UCM6200 is connected to the internet, ensure the web management interface (port 80/443) is not accessible from external IPs.
  4. Change default credentials: Verify the admin password has been changed from the factory default.
  5. Review call records: If the device was potentially compromised, review CDR (Call Detail Records) for unexpected calls, check voicemail for signs of eavesdropping, and rotate any LDAP/AD integration credentials stored on the device.

Key Details

PropertyValue
CVE ID CVE-2020-5722
Vendor / Product Grandstream — UCM6200
NVD Published2020-03-23
NVD Last Modified2025-10-31
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-89 find similar ↗
CISA KEV Added2022-01-28
CISA KEV Deadline2022-07-28
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-07-28. Apply updates per vendor instructions.

Timeline

DateEvent
2020-03-23CVE-2020-5722 published; Grandstream releases patched firmware 1.0.20.17
2022-01-28Added to CISA Known Exploited Vulnerabilities catalog
2022-07-28CISA BOD 22-01 remediation deadline

References

ResourceType
Grandstream UCM6200 Release Notes Vendor Advisory
NVD — CVE-2020-5722 Vulnerability Database
CISA KEV Catalog Entry US Government