Grandstream

Known Exploited Grandstream Vulnerabilities

The following Grandstream vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2020-5722: Grandstream Networks UCM6200 Series SQL Injection Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 1 vulnerability in Grandstream. Last year, in 2025 Grandstream had 4 security vulnerabilities published. Right now, Grandstream is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Grandstream Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-2329	Feb 18, 2026	GXP 16xx Stack Buffer Overflow /cgi-bin/api.values.get RCE Root An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.
CVE-2025-14186	Dec 07, 2025	Grandstream GXP1625 1.0.7.4 XSS via vpn_ip in api.values.post A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-28170	Jul 29, 2025	Grandstream GXP1628 <=1.0.4.130 RCE via Directory Listing Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files.	Gxp1628 Firmware
CVE-2025-28171	Jul 29, 2025	Sensitive Info Leak in Grandstream UCM6510 v1.0.20.52 and earlier via /cgi An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi.	Ucm6510 Firmware
CVE-2025-28172	Jul 29, 2025	Grandstream UCM6510 v1.0.20.52 & B4: Infinite Auth Attempts (RSAM) Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack.	Ucm6510 Firmware
CVE-2024-32937	Jul 03, 2024	Grandstream GXP2135 OS Command Injection in CWMP SelfDefTZ (1.0.9.129-1.0.11.79) An os command injection vulnerability exists in the CWMP SelfDefinedTimeZone functionality of Grandstream GXP2135 1.0.9.129, 1.0.11.74 and 1.0.11.79. A specially crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.	Gxp2135 Firmware
CVE-2020-5722	Mar 23, 2020	The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.	Ucm6200 Firmware