Feye-2021-0001 Description Grandstream Networks' GRP261x VoIP phone running firmware version 1.0.3.6 (Base) is susceptible to authenticated command injection as the privileged user root in its administrative web interface. When combined with CVE-2020-25218, unauthenticated remote code execution is possible. The issue is suspected to have been introduced prior to firmware version 1.0.3.6 but was not verified. Impact High - Remote attackers with network access could compromise the device, potentially installing malware, modifying system behavior, or staging more serious attacks. Exploitability High - When combined with CVE-2020-25218, an unauthenticated user can execute commands as the privileged user root. CVE Reference CVE-2020-25217 Technical Details Mandiant discovered the GRP261x is vulnerable to command injection in the following API: The POST parameter was improperly sanitized by the server, leading to a command injection vulnerability. Resolution Fixed in version 1.0.5.27 (October 2020) of GRP162x software. Discovery Credits Jake Valletta, FireEye Mandiant Michael Maturi, FireEye Mandiant Disclosure Timeline 9 September 2020 - Issue reported to vendor and CVE reserved 11 September 2020 - Issue confirmed by Grandstream Networks 30 October 2020 - Grandstream Networks released patch 22 March 2021 - FireEye Mandiant advisory published References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25217