VYPR
High severity8.1NVD Advisory· Published Apr 21, 2017· Updated Jun 17, 2026

CVE-2016-1518

CVE-2016-1518

Description

The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/.

Affected products

2
  • Grandstream/Wave2 versions
    cpe:2.3:a:grandstream:wave:*:*:*:*:*:android:*:*+ 1 more
    • cpe:2.3:a:grandstream:wave:*:*:*:*:*:android:*:*range: <=1.0.1.26
    • (no CPE)range: <=1.0.1.26

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.