Grandstream UCM6510 CVE-2025-28172
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-reachable login endpoint with no prerequisites; confidentiality and integrity limited to account-level compromise, no availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack.
AnalysisAI
Unlimited brute-force authentication attempts against Grandstream UCM6510 IP PBX firmware v1.0.20.52 and earlier allow unauthenticated network attackers to enumerate and compromise user accounts through credential stuffing or dictionary attacks. The device imposes no rate limiting, lockout, or CAPTCHA mechanism on login attempts (CWE-307), making full account takeover feasible against any account with a weak or guessable password. No public exploit confirmation via CISA KEV exists, though a researcher-published GitHub gist documents the issue and EPSS sits at a low 0.28% (20th percentile), suggesting limited observed exploitation at this time.
Technical ContextAI
The Grandstream UCM6510 is an enterprise-class IP PBX (Private Branch Exchange) unified communications appliance running embedded Linux-based firmware, identified by CPE cpe:2.3:o:grandstream:ucm6510_firmware. The root cause is CWE-307 (Improper Restriction of Excessive Authentication Attempts) - the authentication endpoint lacks controls such as account lockout thresholds, exponential backoff, IP-based rate limiting, or multi-factor authentication enforcement. This class of weakness allows automated tools to iterate through credential lists against the login interface without triggering any defensive response from the system. The UCM6510's web management interface and SIP authentication surfaces are exposed over the network, widening the attack surface for this type of attack.
RemediationAI
Upgrade the UCM6510 firmware to a version beyond v1.0.20.52 if Grandstream has released a patched build - check the Grandstream firmware release portal directly, as no patched version number was confirmed in the available reference data. As an immediate compensating control, restrict access to the UCM6510 web management interface and SIP authentication endpoints to trusted IP ranges only via firewall ACLs, significantly reducing the attack surface by preventing unauthenticated internet-facing brute-force attempts. Enforce strong, unique passwords on all accounts (minimum 16 characters, not dictionary words) to make brute-force attacks computationally impractical even in the absence of lockout. Where the management interface must remain accessible, place it behind a VPN or jump host to require prior authentication. These controls address the risk without eliminating the underlying firmware flaw, so firmware patching remains the definitive fix once a corrected release is confirmed available.
More in Ucm6510 Firmware
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today