Skip to main content

Grandstream UCM6510 CVE-2025-28171

MEDIUM
Insecure Storage of Sensitive Information (CWE-922)
2025-07-29 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.3 MEDIUM

Pre-auth Login endpoint on network appliance; description confirms only information disclosure, so I:N overrides the provided I:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:52 vuln.today

DescriptionCVE.org

An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi.

AnalysisAI

Unauthenticated sensitive information disclosure in Grandstream UCM6510 unified communications appliances (firmware v.1.0.20.52 and earlier) exposes data via the Login function at the /cgi and /webrtccgi CGI endpoints. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction from any network position. A public proof-of-concept is available on GitHub; EPSS is low at 0.40% (32nd percentile) suggesting limited opportunistic scanning activity to date, but internet-exposed deployments are concretely at risk from targeted reconnaissance.

Technical ContextAI

The Grandstream UCM6510 is a hardware IP PBX appliance running embedded Linux firmware, targeted at SMB and enterprise unified communications deployments. Its web management interface exposes CGI endpoints (/cgi) and a WebRTC gateway (/webrtccgi), both of which include a Login function. CWE-922 (Insecure Storage of Sensitive Information) as the root-cause class indicates that sensitive data - plausibly credentials, session identifiers, or internal configuration details - is stored or transmitted in a manner accessible without authorization at these pre-authentication endpoints. The affected CPE string cpe:2.3:o:grandstream:ucm6510_firmware:*:*:*:*:*:*:*:* with a version cap at 1.0.20.52 confirms all prior firmware releases are vulnerable. The dual-endpoint exposure (both standard CGI and WebRTC CGI paths) suggests the flaw may originate in a shared authentication or response-handling library used by both handlers.

RemediationAI

The primary remediation is to upgrade UCM6510 firmware beyond version 1.0.20.52; however, no specific patched firmware version was identified in the provided reference data, and the vendor advisory URL (http://ucm65xx.com) did not resolve to a confirmed patch release - check Grandstream's official support portal for the latest firmware. Until a patch is applied, the most effective compensating control is to restrict network access to the UCM6510 web management interface (/cgi and /webrtccgi paths) using firewall rules or ACLs, ensuring the device is not directly reachable from the internet. Placing the management interface on a dedicated management VLAN with strict ingress filtering eliminates the network-accessible attack vector entirely. If WebRTC functionality must be internet-exposed, consider terminating it behind a reverse proxy with authentication enforcement. Disabling web management access from untrusted networks is a low-risk, high-impact mitigation with minimal operational trade-off for most deployments.

Share

CVE-2025-28171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy