Vulnerabilities > Grandstream > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-04-14 CVE-2020-5738 Link Following vulnerability in Grandstream products
Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command execution when an attacker uploads a specially crafted tar file to the HTTP /cgi-bin/upload_vpntar interface.
network
low complexity
grandstream CWE-59
critical
9.0
2020-03-23 CVE-2020-5722 SQL Injection vulnerability in Grandstream Ucm6200 Firmware
The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request.
network
low complexity
grandstream CWE-89
critical
10.0
2019-12-11 CVE-2013-3542 Use of Hard-coded Credentials vulnerability in Grandstream products
Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models with firmware 1.0.4.11, have a hardcoded account "!#/" with the same password, which makes it easier for remote attackers to obtain access via a TELNET session.
network
low complexity
grandstream CWE-798
critical
10.0
2019-04-01 CVE-2018-17565 OS Command Injection vulnerability in Grandstream products
Shell Metacharacter Injection in the SSH configuration interface on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to execute arbitrary system commands and gain a root shell.
network
low complexity
grandstream CWE-78
critical
10.0
2019-03-30 CVE-2019-10661 Improper Authentication vulnerability in Grandstream Gxv3611Ir HD Firmware
On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password.
network
low complexity
grandstream CWE-287
critical
9.8