What is the Grandstream UCM6200 Series?
Grandstream UCM6200 is a series of IP PBX (Private Branch Exchange) appliances for unified communications — handling voice calls, video conferencing, voicemail, fax, and call routing in small-to-medium business and enterprise environments. Models include the UCM6202, UCM6204, UCM6208, and UCM6510. These devices are widely deployed as the phone system backbone for businesses, law firms, healthcare providers, and government offices. Because they handle sensitive voice communications and integrate with internal directory services, compromising a UCM6200 can yield access to call recordings, voicemail, corporate contacts, and potentially pivot points into the broader network.
Overview
CVE-2020-5722 is an unauthenticated SQL injection vulnerability (CWE-89) in the HTTP API of Grandstream UCM6200 series IP PBX appliances. A remote attacker with no credentials can send a crafted HTTP request to the device's web interface and inject arbitrary SQL commands into the backend database. Exploitation of the SQL injection leads to OS command execution as root — giving an attacker complete control of the PBX appliance and access to all communications data it handles.
Affected Versions
| Product | Vulnerable Firmware | Fixed Firmware |
|---|---|---|
| Grandstream UCM6202, UCM6204, UCM6208, UCM6510 | < 1.0.20.17 | 1.0.20.17+ |
Technical Details
The UCM6200 web management interface is powered by a custom web application backed by a database (SQLite). One or more API endpoints in the web interface accept HTTP parameters that are incorporated into SQL queries without proper parameterization or escaping. By crafting a request with SQL metacharacters (single quotes, UNION statements, stacked queries), an unauthenticated attacker can:
- Dump the database: Extract usernames, passwords, call logs, voicemail, and configuration data
- Execute OS commands: The SQLite database used by UCM6200 supports user-defined functions or leverages database features that allow OS command execution — either through SQLite's
load_extension()or through the application's use of database data in subsequent shell operations
The resulting command execution occurs with root privileges because the web application process runs as root on the embedded Linux OS. No authentication cookie, session, or credentials are required.
Discovery
The vulnerability was discovered by researchers at Tenable and published in March 2020 alongside coordinated disclosure with Grandstream. Grandstream released patched firmware version 1.0.20.17 at the time of disclosure.
Exploitation Context
CISA added CVE-2020-5722 to the KEV catalog on January 28, 2022. UCM6200 devices are attractive targets because they sit on internal corporate networks, handle sensitive voice communications, and are often managed separately from standard IT security tooling — creating blind spots in enterprise monitoring. An attacker who roots a UCM6200 can:
- Access call recordings and voicemail stored on the device
- Intercept or redirect future calls
- Use the device's internal network position to scan and attack adjacent systems
- Exfiltrate the corporate phone directory and LDAP integration credentials
Many small-to-medium businesses running Grandstream UCM6200 devices have not consistently applied firmware updates, explaining the late KEV addition two years after the patch.
Remediation
- Upgrade firmware to 1.0.20.17 or later: Log into the UCM6200 admin interface and apply the update under Maintenance → Upgrade.
- Restrict web interface access: Configure the UCM6200's firewall rules (System Settings → Network Settings → Packet Filter) to allow web interface access only from trusted internal management hosts — not the full internal network or internet.
- Disable web interface from WAN: If the UCM6200 is connected to the internet, ensure the web management interface (port 80/443) is not accessible from external IPs.
- Change default credentials: Verify the admin password has been changed from the factory default.
- Review call records: If the device was potentially compromised, review CDR (Call Detail Records) for unexpected calls, check voicemail for signs of eavesdropping, and rotate any LDAP/AD integration credentials stored on the device.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-5722 |
| Vendor / Product | Grandstream — UCM6200 |
| NVD Published | 2020-03-23 |
| NVD Last Modified | 2025-10-31 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-89 find similar ↗ |
| CISA KEV Added | 2022-01-28 |
| CISA KEV Deadline | 2022-07-28 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-03-23 | CVE-2020-5722 published; Grandstream releases patched firmware 1.0.20.17 |
| 2022-01-28 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-07-28 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Grandstream UCM6200 Release Notes | Vendor Advisory |
| NVD — CVE-2020-5722 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |