Vulnerability Database

300,830

Total vulnerabilities in the database

CVE-2020-5739

Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command execution when an attacker adds an OpenVPN up script to the phone's VPN settings via the "Additional Settings" field in the web interface. When the VPN's connection is established, the user defined script is executed with root privileges.

Published: Apr 14, 2020
Updated: Nov 9, 2025
CVE: CVE-2020-5739
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
grandstream / gxp1610_firmware	-	1.0.4.152.x
grandstream / gxp1615_firmware	-	1.0.4.152.x
grandstream / gxp1620_firmware	-	1.0.4.152.x
grandstream / gxp1625_firmware	-	1.0.4.152.x
grandstream / gxp1628_firmware	-	1.0.4.152.x
grandstream / gxp1630_firmware	-	1.0.4.152.x

https://www.tenable.com/security/research/tra-2020-22

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo