Grandstream UCM6510 CVE-2025-28171
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Pre-auth Login endpoint on network appliance; description confirms only information disclosure, so I:N overrides the provided I:L.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi.
AnalysisAI
Unauthenticated sensitive information disclosure in Grandstream UCM6510 unified communications appliances (firmware v.1.0.20.52 and earlier) exposes data via the Login function at the /cgi and /webrtccgi CGI endpoints. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction from any network position. A public proof-of-concept is available on GitHub; EPSS is low at 0.40% (32nd percentile) suggesting limited opportunistic scanning activity to date, but internet-exposed deployments are concretely at risk from targeted reconnaissance.
Technical ContextAI
The Grandstream UCM6510 is a hardware IP PBX appliance running embedded Linux firmware, targeted at SMB and enterprise unified communications deployments. Its web management interface exposes CGI endpoints (/cgi) and a WebRTC gateway (/webrtccgi), both of which include a Login function. CWE-922 (Insecure Storage of Sensitive Information) as the root-cause class indicates that sensitive data - plausibly credentials, session identifiers, or internal configuration details - is stored or transmitted in a manner accessible without authorization at these pre-authentication endpoints. The affected CPE string cpe:2.3:o:grandstream:ucm6510_firmware:*:*:*:*:*:*:*:* with a version cap at 1.0.20.52 confirms all prior firmware releases are vulnerable. The dual-endpoint exposure (both standard CGI and WebRTC CGI paths) suggests the flaw may originate in a shared authentication or response-handling library used by both handlers.
RemediationAI
The primary remediation is to upgrade UCM6510 firmware beyond version 1.0.20.52; however, no specific patched firmware version was identified in the provided reference data, and the vendor advisory URL (http://ucm65xx.com) did not resolve to a confirmed patch release - check Grandstream's official support portal for the latest firmware. Until a patch is applied, the most effective compensating control is to restrict network access to the UCM6510 web management interface (/cgi and /webrtccgi paths) using firewall rules or ACLs, ensuring the device is not directly reachable from the internet. Placing the management interface on a dedicated management VLAN with strict ingress filtering eliminates the network-accessible attack vector entirely. If WebRTC functionality must be internet-exposed, consider terminating it behind a reverse proxy with authentication enforcement. Disabling web management access from untrusted networks is a low-risk, high-impact mitigation with minimal operational trade-off for most deployments.
More in Ucm6510 Firmware
View allSame weakness CWE-922 – Insecure Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today