CVE-2024-32937

Name of the Vulnerable Software and Affected Versions Grandstream GXP2135 versions 1.0.9.129 through 1.0.11.79

Description An os command injection vulnerability exists in the CWMP SelfDefinedTimeZone functionality. A specially crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

Recommendations For versions 1.0.9.129, 1.0.11.74, and 1.0.11.79, consider disabling the CWMP SelfDefinedTimeZone functionality until a patch is available to prevent arbitrary command execution. Restrict access to the network to minimize the risk of exploitation. Avoid using the vulnerable functionality in the affected Grandstream GXP2135 devices until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.