Skip to main content

Grandstream GXP1628 CVE-2025-28170

HIGH
Exposure of Information Through Directory Listing (CWE-548)
2025-07-29 cve@mitre.org
7.6
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
7.5 HIGH

Directory listing is described as unauthorized/default-enabled, so PR:N/AC:L over the network; it is read-only information disclosure, hence C:H with I:N and A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:02 vuln.today

DescriptionCVE.org

Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files.

AnalysisAI

Information disclosure in the Grandstream GXP1628 IP phone (firmware 1.0.4.130 and earlier) exposes sensitive directories and files because directory listing is enabled on the device web interface, letting attackers browse and retrieve files that should be protected. The flaw (CWE-548) can leak configuration data, credentials, or other sensitive artifacts stored on the device. Publicly available exploit code exists, though EPSS remains low at 0.31% (22nd percentile) and it is not listed in CISA KEV.

Technical ContextAI

The GXP1628 is a mid-range Grandstream small-business VoIP/SIP desk phone with an embedded web management interface. The root cause is CWE-548 (Exposure of Information Through Directory Listing): the embedded HTTP server serves auto-generated index pages for directories that lack an index file, so any client can enumerate and download the underlying files rather than being denied. On VoIP endpoints these directories frequently hold provisioning/configuration files, logs, firmware artifacts, and SIP account material. The single affected CPE is cpe:2.3:o:grandstream:gxp1628_firmware:*, i.e. the device firmware itself, so the exposure is a property of the shipped web server configuration rather than a third-party library.

RemediationAI

No vendor-released patch identified at time of analysis; check Grandstream's GXP1628 firmware download and release-notes page for a build newer than 1.0.4.130 and upgrade if one addressing directory listing is published. As compensating controls until a fixed firmware is confirmed: disable directory listing / autoindex on the device web server if the admin UI exposes that option; restrict access to the phone's management (HTTP/HTTPS) interface by placing phones on a dedicated voice VLAN and blocking web-management ports (typically TCP 80/443) from user and untrusted networks via ACLs or firewall rules - this preserves SIP call functionality while removing the exposed listing surface; and change any credentials or provisioning secrets that may have been readable through the exposed directories. The trade-off of blocking the web interface is that remote GUI administration and any browser-based provisioning workflows will require access from the trusted management segment. The only public reference is the exploit gist (https://gist.github.com/Exek1el/928ea6fd06d3b48c1c91cfdc30317d8d); no advisory URL is available.

Share

CVE-2025-28170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy