CVE-2020-5725

Name of the Vulnerable Software and Affected Versions Grandstream UCM6200 series versions prior to 1.0.20.22

Description The issue allows a remote unauthenticated attacker to perform an SQL injection via the HTTP server's "websockify" endpoint. By invoking the login action with a crafted username, an attacker can use timing attacks to discover user passwords.

Recommendations For Grandstream UCM6200 series versions prior to 1.0.20.22, update to version 1.0.20.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the websockify endpoint to minimize the risk of exploitation. Avoid using crafted usernames in the login action until the issue is resolved.