Skip to main content

Ucm6510 Firmware

2 CVEs product

Monthly

CVE-2025-28171 MEDIUM This Month

Unauthenticated sensitive information disclosure in Grandstream UCM6510 unified communications appliances (firmware v.1.0.20.52 and earlier) exposes data via the Login function at the /cgi and /webrtccgi CGI endpoints. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction from any network position. A public proof-of-concept is available on GitHub; EPSS is low at 0.40% (32nd percentile) suggesting limited opportunistic scanning activity to date, but internet-exposed deployments are concretely at risk from targeted reconnaissance.

Information Disclosure Ucm6510 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-28172 MEDIUM This Month

Unlimited brute-force authentication attempts against Grandstream UCM6510 IP PBX firmware v1.0.20.52 and earlier allow unauthenticated network attackers to enumerate and compromise user accounts through credential stuffing or dictionary attacks. The device imposes no rate limiting, lockout, or CAPTCHA mechanism on login attempts (CWE-307), making full account takeover feasible against any account with a weak or guessable password. No public exploit confirmation via CISA KEV exists, though a researcher-published GitHub gist documents the issue and EPSS sits at a low 0.28% (20th percentile), suggesting limited observed exploitation at this time.

Information Disclosure Ucm6510 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated sensitive information disclosure in Grandstream UCM6510 unified communications appliances (firmware v.1.0.20.52 and earlier) exposes data via the Login function at the /cgi and /webrtccgi CGI endpoints. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction from any network position. A public proof-of-concept is available on GitHub; EPSS is low at 0.40% (32nd percentile) suggesting limited opportunistic scanning activity to date, but internet-exposed deployments are concretely at risk from targeted reconnaissance.

Information Disclosure Ucm6510 Firmware
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Unlimited brute-force authentication attempts against Grandstream UCM6510 IP PBX firmware v1.0.20.52 and earlier allow unauthenticated network attackers to enumerate and compromise user accounts through credential stuffing or dictionary attacks. The device imposes no rate limiting, lockout, or CAPTCHA mechanism on login attempts (CWE-307), making full account takeover feasible against any account with a weak or guessable password. No public exploit confirmation via CISA KEV exists, though a researcher-published GitHub gist documents the issue and EPSS sits at a low 0.28% (20th percentile), suggesting limited observed exploitation at this time.

Information Disclosure Ucm6510 Firmware
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy