CVE-2020-5726

Name of the Vulnerable Software and Affected Versions Grandstream UCM6200 series versions prior to 1.0.20.22

Description The issue allows a remote unauthenticated attacker to perform an SQL injection via the CTI server on port 8888. This can be achieved by invoking the challenge action with a crafted username, potentially leading to the discovery of user passwords.

Recommendations For Grandstream UCM6200 series versions prior to 1.0.20.22, update to version 1.0.20.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the CTI server on port 8888 to minimize the risk of exploitation.