Skip to main content

Grandstream UCM6510 CVE-2025-28172

MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2025-07-29 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable login endpoint with no prerequisites; confidentiality and integrity limited to account-level compromise, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:51 vuln.today

DescriptionCVE.org

Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack.

AnalysisAI

Unlimited brute-force authentication attempts against Grandstream UCM6510 IP PBX firmware v1.0.20.52 and earlier allow unauthenticated network attackers to enumerate and compromise user accounts through credential stuffing or dictionary attacks. The device imposes no rate limiting, lockout, or CAPTCHA mechanism on login attempts (CWE-307), making full account takeover feasible against any account with a weak or guessable password. No public exploit confirmation via CISA KEV exists, though a researcher-published GitHub gist documents the issue and EPSS sits at a low 0.28% (20th percentile), suggesting limited observed exploitation at this time.

Technical ContextAI

The Grandstream UCM6510 is an enterprise-class IP PBX (Private Branch Exchange) unified communications appliance running embedded Linux-based firmware, identified by CPE cpe:2.3:o:grandstream:ucm6510_firmware. The root cause is CWE-307 (Improper Restriction of Excessive Authentication Attempts) - the authentication endpoint lacks controls such as account lockout thresholds, exponential backoff, IP-based rate limiting, or multi-factor authentication enforcement. This class of weakness allows automated tools to iterate through credential lists against the login interface without triggering any defensive response from the system. The UCM6510's web management interface and SIP authentication surfaces are exposed over the network, widening the attack surface for this type of attack.

RemediationAI

Upgrade the UCM6510 firmware to a version beyond v1.0.20.52 if Grandstream has released a patched build - check the Grandstream firmware release portal directly, as no patched version number was confirmed in the available reference data. As an immediate compensating control, restrict access to the UCM6510 web management interface and SIP authentication endpoints to trusted IP ranges only via firewall ACLs, significantly reducing the attack surface by preventing unauthenticated internet-facing brute-force attempts. Enforce strong, unique passwords on all accounts (minimum 16 characters, not dictionary words) to make brute-force attacks computationally impractical even in the absence of lockout. Where the management interface must remain accessible, place it behind a VPN or jump host to require prior authentication. These controls address the risk without eliminating the underlying firmware flaw, so firmware patching remains the definitive fix once a corrected release is confirmed available.

Share

CVE-2025-28172 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy