Grandstream HT800 series Provisioning Command Injection

Advisory IDRSN-SIP-1661

Vulnerability Information

Grandstream HT800 series firmware version and below is vulnerable to an OS command injection vulnerability. Unauthenticated remote attackers can execute arbitrary commands as root by crafting a special configuration file and sending a crafted SIP message.

Technical Information

The HT800 series is vulnerable to command injection via the configuration file when P240 is set to 1 and P2 (password) contains shell metacharacters. For example: P2=telnetd%24{IFS}-l/bin/sh.

An unauthenticated remote attacker could trigger this injection via a x-gs-ucm-url SIP message. We created a proof of concept called that starts a root bindshell on port 23.


The UCTM solution from RedShift Networks provides the industry’s first complete security solution developed to secure VOIP networks, endpoints and applications. His research team is constantly looking for new attack patterns, advanced penetration testing methods, vulnerability identification and deployment of new signatures for constantly subscribed clients. For more information visit

External Resources

Common Vulnerabilities and Exposures (CVE)