Refine your search
1 vulnerability found for GXP2135 by Grandstream
CVE-2024-32937 (GCVE-0-2024-32937)
Vulnerability from cvelistv5
Published
2024-07-03 14:05
Modified
2025-11-04 17:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
An os command injection vulnerability exists in the CWMP SelfDefinedTimeZone functionality of Grandstream GXP2135 1.0.9.129, 1.0.11.74 and 1.0.11.79. A specially crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grandstream | GXP2135 |
Version: 1.0.11.74 Version: 1.0.11.79 Version: 1.0.9.129 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:grandstream:gxp2135_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "gxp2135_firmware",
"vendor": "grandstream",
"versions": [
{
"status": "affected",
"version": "1.0.11.74"
},
{
"status": "affected",
"version": "1.0.11.79"
},
{
"status": "affected",
"version": "1.0.9.129"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T14:16:57.228461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T14:59:05.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:20:20.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1978",
"tags": [
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1978"
},
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1978"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GXP2135",
"vendor": "Grandstream",
"versions": [
{
"status": "affected",
"version": "1.0.11.74"
},
{
"status": "affected",
"version": "1.0.11.79"
},
{
"status": "affected",
"version": "1.0.9.129"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Matthew Bernath of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"value": "An os command injection vulnerability exists in the CWMP SelfDefinedTimeZone functionality of Grandstream GXP2135 1.0.9.129, 1.0.11.74 and 1.0.11.79. A specially crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T17:00:11.294Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1978",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1978"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2024-32937",
"datePublished": "2024-07-03T14:05:35.575Z",
"dateReserved": "2024-04-19T20:26:32.967Z",
"dateUpdated": "2025-11-04T17:20:20.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}