Primary

Context

Curo UC300 OS Command Injection Vulnerability in Admin Panel

Vulnerability

A vulnerability allowing OS command injection has been identified in the Admin panel of the Curo UC300 IP phone, specifically in version 5.42.1.7.1.63R1. This vulnerability allows local attackers to inject arbitrary operating system commands through the 'IP Addr' parameter.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the affected device.

Reproduction

To reproduce this vulnerability, log into the admin panel of the UC300 phone. Navigate to the 'Network' section and then to 'Diagnostics'. In the 'IP Addr' field, inject a Linux command and click 'Start' to execute the command on the phone.

Remediation

The vendor has developed and rolled out a firmware update to address this vulnerability.

Added: Oct 8, 2025, 7:17 PM

Updated: Oct 8, 2025, 8:28 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.2

remediation

0.0

relevance

0.6

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.2

remediation

0.0

relevance

0.6

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Curo UC300 OS Command Injection Vulnerability in Admin Panel

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating