CVE-2025-28170: Grandstream GXP1628 Exposes Sensitive Data via Directory Listing

Grandstream Networks GXP1628 VoIP phones are widely used in business environments. A recently discovered vulnerability allows unauthorized access to sensitive data due to an improperly configured web server. Let's dive into the details.

Vulnerability Details

CVE ID: CVE-2025-28170
Description: Grandstream Networks GXP1628 (<=1.0.4.130) is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files. This means anyone who knows the URL can simply browse the phone's file system and potentially access configuration files, logs, or other sensitive data.
CVSS Score and Vector:
- CVSS v3.1 Score: 7.6 (HIGH)
- CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
- Explanation: An attacker on the network with low privileges can gain high confidentiality access, with some impact on integrity and availability. The low privilege requirement makes this relatively easy to exploit.
Exploit Requirements: The attacker needs network access to the device and potentially valid (but low privileged) credentials to access the web interface.
Affected Vendor, Product, Version:
- Vendor: Grandstream Networks
- Product: GXP1628
- Version: <=1.0.4.130
CWE:
- CWE ID: CWE-548
- CWE Name: Exposure of Information Through Directory Listing
- Explanation: CWE-548 occurs when a web server is configured to list the files and subdirectories within a directory if no default index file (e.g., index.html) is present. This allows unauthorized users to explore the server's file system and potentially access sensitive files they shouldn't.

Timeline of Events

2025-07-29: Vulnerability Reported.
2025-07-29: CVE ID Assigned.

Exploitability & Real-World Risk

The exploitability of this vulnerability is relatively high. Since directory listing is enabled by default, an attacker can easily discover sensitive files without sophisticated tools. In a real-world scenario, this could lead to attackers gaining access to SIP credentials, network configurations, or even phone logs that contain sensitive information. Imagine an attacker obtaining SIP credentials and using them to make fraudulent calls or eavesdrop on conversations. The risk is significant, especially for businesses that rely on these phones for critical communications.

Recommendations

Upgrade Firmware: Immediately update your Grandstream GXP1628 phones to the latest firmware version provided by Grandstream.
Disable Directory Listing: If possible, disable directory listing on the phone's web server configuration. This will prevent unauthorized users from browsing the file system even if they have access to the web interface.
Review Access Controls: Ensure that access to the phone's web interface is properly restricted and that only authorized personnel have access. Use strong passwords and multi-factor authentication where possible.
Network Segmentation: Consider segmenting your VoIP network from your main corporate network to limit the impact of a potential breach.

Technical Insight

The underlying flaw lies in the web server configuration of the Grandstream GXP1628. The server is not properly configured to prevent directory listing, which is a basic security best practice. By default, web servers should either serve an index file or return a '403 Forbidden' error when a directory is accessed without an index file. The GXP1628 fails to do this, exposing its file system to anyone with network access.

Credit to Researcher(s)

This vulnerability was discovered by Exek1el.

CVE-2025-28170: Grandstream GXP1628 Exposes Sensitive Data via Directory Listing

CVE-2025-28170: Grandstream GXP1628 Exposes Sensitive Data via Directory Listing

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form