Skip to main content
CVE-2025-28171 MEDIUM This Month

Unauthenticated sensitive information disclosure in Grandstream UCM6510 unified communications appliances (firmware v.1.0.20.52 and earlier) exposes data via the Login function at the /cgi and /webrtccgi CGI endpoints. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction from any network position. A public proof-of-concept is available on GitHub; EPSS is low at 0.40% (32nd percentile) suggesting limited opportunistic scanning activity to date, but internet-exposed deployments are concretely at risk from targeted reconnaissance.

Information Disclosure Ucm6510 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-28172 MEDIUM This Month

Unlimited brute-force authentication attempts against Grandstream UCM6510 IP PBX firmware v1.0.20.52 and earlier allow unauthenticated network attackers to enumerate and compromise user accounts through credential stuffing or dictionary attacks. The device imposes no rate limiting, lockout, or CAPTCHA mechanism on login attempts (CWE-307), making full account takeover feasible against any account with a weak or guessable password. No public exploit confirmation via CISA KEV exists, though a researcher-published GitHub gist documents the issue and EPSS sits at a low 0.28% (20th percentile), suggesting limited observed exploitation at this time.

Information Disclosure Ucm6510 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-6060 MEDIUM This Month

Cross-site scripting in DECE Software Geodi before version 9.0.146 allows authenticated low-privileged remote attackers to inject malicious scripts that execute in other users' browsers, crossing a security scope boundary (S:C). The CVSS vector confirms network-accessible exploitation requiring only low-privilege authentication and victim interaction, making it a realistic internal threat vector in multi-user deployments. No public exploit code identified at time of analysis and EPSS of 0.13% (32nd percentile) signals low exploitation probability, though the scope change elevates post-exploitation impact potential beyond the attacker's own session.

XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy