Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allows Command Injection as root in its administrative web interface.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25217
Reference (s):
- https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2021-0001/FEYE-2021-0001.md