CVE-2025-28171: Grandstream UCM6510 Sensitive Information Disclosure

Grandstream UCM6510 devices are popular IP PBXs used by businesses of all sizes. A recently discovered vulnerability could allow attackers to remotely access sensitive information.

Vulnerability Details

• CVE ID: CVE-2025-28171
• Description: A vulnerability in Grandstream UCM6510 v.1.0.20.52 and prior allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi. This could include credentials, configuration details, or other sensitive data.
• CVSS Score: 6.5 (Medium)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
• CVSS Explanation: This CVSS vector indicates a vulnerability that is remotely exploitable (AV:N) with low attack complexity (AC:L) and requires no privileges (PR:N) or user interaction (UI:N). It affects confidentiality and integrity to a low degree (C:L/I:L), but has no impact on availability (A:N). Basically, an attacker can remotely steal some data and slightly modify some data, but can't crash the system.
• Exploit Requirements: The attacker needs network access to the UCM6510 device. No authentication is required.
• Affected Vendor: Grandstream
• Affected Product: UCM6510
• Affected Version: v.1.0.20.52 and prior
• CWE: CWE-922 - Insecure Storage of Sensitive Information
• CWE Explanation: This means the device isn't protecting sensitive data properly when storing or transmitting it, making it easier for attackers to steal.

Timeline of Events

• 2025-07-29: Vulnerability publicly disclosed and CVE assigned.

Exploitability & Real-World Risk

This vulnerability is relatively easy to exploit as it requires no authentication and can be performed remotely. The real-world risk is significant, as compromised UCM6510 devices could allow attackers to eavesdrop on phone calls, steal sensitive business data, or even gain access to the internal network.

Recommendations

• Apply the latest patch: Check Grandstream's website for a firmware update that addresses this vulnerability.
• Restrict network access: Limit access to the UCM6510 device to only trusted networks.
• Monitor network traffic: Implement network monitoring to detect suspicious activity.
• Review security configurations: Ensure that the UCM6510 device is configured with strong passwords and secure settings.

Technical Insight

The vulnerability likely stems from improper handling of sensitive information during the login process. The `/cgi` and `/webrtccgi` interfaces are probably exposing internal data or not securely storing credentials, allowing an attacker to retrieve them with a simple request.

Credit to Researcher(s)

Exek1el (as indicated by the gist)

References

• Grandstream Website
• UCM65xx Product Page
• Vulnerability Details on Gist

Tags

CVE-2025-28171, Grandstream, UCM6510, Information Disclosure, VoIP Security

Summary: Grandstream UCM6510 devices are vulnerable to an information disclosure vulnerability (CVE-2025-28171) allowing remote attackers to obtain sensitive information via the login function. Update your device and restrict network access to mitigate this risk.

CVE ID: CVE-2025-28171

Risk Analysis: Compromised devices can leak sensitive business data, allow eavesdropping on phone calls, and potentially provide access to the internal network.

Recommendation: Apply the latest patch from Grandstream, restrict network access to the device, and monitor network traffic for suspicious activity.

Timeline

• 2025-07-29: Vulnerability publicly disclosed and CVE assigned.

References

• http://grandstream.com
• http://ucm65xx.com
• https://gist.github.com/Exek1el/a1fe4288f0df0a47068d618579c6b647