Firmware for UCM6202/6204/6208 is released as Beta



Firewall is all good, the hacker is not actually getting into the ucm but calling one of my numbers and having it call forward to a premium number costing me a lot £$.
This seems to have been reported for some time now. apparently this latest firmware update has addressed the issue but if we trust it has and it does not then its going to cost a lot of people.
Typical that you blame others for their security flaws!
And about the Time Rules ?


I told you the solution. You have a problem and it’s up to you to solve it, not Grandstream.


The fix appears to work.

I have a client who was having the issues with the latest security breach (videoconference). There were over 800 calls attempted, but none made it thru as I have international dialing turned off at the provider. I installed the new load of FW and the CDR is now clean since.

However, what is interesting is that this is a client that has an IT firm manage their router. They were instructed on what ports as well as the associated IPs that should be allowed. While I cannot attest to the fact that they implemented the recommendations or did them correctly, I can say that I have a fairly large number of other sites around that I manage and I do implement the rules at a firewall level and none have been breached nor am I getting any fail2ban entries or notices from the provider about the issue.

However, I do not believe the issue you describe is the same issue that GS addressed in the latest FW update. While GS did not release any details of how the breach was accomplished nor what/how the FW prevented same (I assume to prevent hackers from understanding what was done and have a better idea of how to defeat), it seemed not to be related to any forwarding. Here is a CDR of such-

It is an attempted call to the Caymen Islands. There are two legs as there are two trunks, so when the call would not progress on the 1st trunk, the system used the failover…which also failed. To me, it appears as if the breach is using the UCM to make the call as there are no other legs - in and out.

So, how is the hacker being able to manage a phone to the extent that call forwarding is being used so they can make calls?

The only time I ever had a similar instance is when a cleaning crew would come in at night and then find extensions and set forwarding on the phone using either the softkeys as the forward was on the phone, not on the UCM. Then after cleaning the office, they would call in to the office and reach the extension by DID, IVR or transfer and get to the destination they programmed.

Damiano’s native language is Italian and his suggestion is still valid as he had no way to know if you had already implemented firewall rules.

I just tested the time conditions on the outbound routes and they do appear to work.

I have numerous trunks set on my test system.

My office time is set from 0900-1700, Mon-Fri. I selected one of my primary trunks and then set accordingly in the outbound route-

The s20 is a peer to another PBX, which will not accommodate the 11 digit dialing rule I have established for a normal outbound call. The PBX on the other end rejects the call which is relayed to the phone. This is a simple config and it is unknown if you are using failover trunks or other variables that may make it a little more complex, but the rule does work. If nothing else create a dummy peer trunk and direct to that. The function was not really designed to prevent calls but rather to take advantage of better routing for either cost reason or geographical related to time (multi-time zones) to other trunks be they SIP or analog.

To me, while your idea of directing the call is noven and will work, I would prefer to stop them before they can possibly get to this point; hence my question of how are they accomplishing.


Hi Larry
Thanks for the in depth reply,
My system isn’t to complicated we just use it as a basic phone system without call fwd or IVR ( we intend to soon though)
34 extensions, one call group, 22 ddi, 1 trunk.
I have FTB working and got a ton of catches early on whilst testing the system, Since that i have tightened up with the firewall and white lists etc, that seems to have plugged that hole!

small sample!!
So this type of attack wasn’t the issue the other day because fail to ban is set to aggressive and my Draytek router has been tightened up considerably, so with that in mind, the attacks were as you showed a kind of in out via the actual calls, weird as i don’t have Call Fwd active, i have even gone to the length of turning CF feature codes off… we don’t need them.
So I really hope that you are correct and the upgrade fixed the problem, which only goes to prove that there was/is a problem with the software, I am aware that this is a battle between developers and the bad-bastards out there.
Thanks for the info anyway, fingers crossed :slight_smile:
2nd issue the time conditions.
I have 2 time conditions but when i try to put this in outbound of in fact any other place it gives me no choice and enters default (as you image)
why do i not get a drop down choice of the 2 options ? i guess this will need addressing?

Kind Regards


You can select specific time conditions in out bound routes but not subsets of each category. In your case you have set two office time conditions but can’t use either independently.
I think the only way you can achieve what I think you want is using specific time on the outbound route as below


Well, I am a little confused with the time conditions-
First, the screenshot you are showing is to set your office time. Nothing more, nothing less; only the hours that the office would normally be open to take calls.
The bottom rule is overlapping the first so effectively you are open 7 days a week from 0730 to 2230.

As RTL is indicating, the exceptions are made at the route level. This is what I am showing in my screenshot where I have set an out of office rule so the system will use that specifically when we are not open so the calls will go to a route that will not any outbound calls to flow


Mmm i see, thanks, that make a lot more sense,
I will just set the out of office times instead of trying to set 2 different in office times!


@GS.Jimmy I wrote my “ideas” and my rehearsal over you. Let me know if you need anything else.
I take this opportunity to send my best wishes to all the GS staff and forum goers :slight_smile:


Help please,
I have been trying to get 2 different outbound time rules to work as i want,
i have 2 permissions set 1 - national and 2 - international
on the national i have set to office time 7.45-18.15
on the international i set Specific Time 07:45-22:15
but the international phones stop working to call out at the same time as the national time set.
What am i doing wrong or is this a bug ?
I know the times over lap but i wouldn’t think that matters as the later one is for off site phones that work late


it is not by opening 20 identical posts that you get the answers, so it just creates confusion :slight_smile:


Sorrow about that. My mistake


Thank you for all the feedback. We will take these requests into consideration.

Do you see that crash alert in the Maintenance->System Events page? You should be able to download the coredump from there.


unfortunately I had checked and there was nothing (also seemed strange to me), I still did a lot of tests and formatted at least 2 times, probably lost, if it happens again I will update you.


Where is the documentation for this new HTTP API?



I would like to remind the engineers of GS (but I think they already know it) that on Zero Config the whole GRP series is unusable, it lacks the possibility to set the BLF and more, only GRP2614 (1.3) is almost in place.
It seems to me a problem of priority importance.
I had to make an estimate with many GRP phones but for this reason I preferred to do it with GXP2100 series phones.


always in the area of “advice” I would like to point out the need to:

  • import export on outgoing rules (on incoming rules already has been done).
  • import export customized models on Zero Config (each model can add up to 50 “P” - increased limit time - and it becomes essential to be able to manage with import/export the model).
  • create codes to make the final customer autonomous to modify system messages (IVR messages and other)
  • solve the problem of the Blacklist “to countries” (it doesn’t work in Italy) to date unusable if UCM has not been activated in the USA, so you need to be able to tell UCM where it is located in order to correctly manage international prefixes, for example it works on 3CX).


I already gave you the solution in the post you opened.

there is no problem on UCM but only your setting.


on “Automatic download” in CDR I tried and it doesn’t work.
Despite having 10 call events on CDR, the csv file received via email is completely empty (there are only headers).


Hi, everyone. I know is Beta but as there are so many really nice fixes and features in it I’m wondering what the feeling is out there about applying it to production boxes. We have 3 UCM’s about ready to go LIVE (in about 9 days replacing our central FusionPBX server) and it would be nice to be able to take advantage of all that offers. A simple thing, ability to set own prompt recording on Dial By Name is a biggie (believe it or not) as our owner HATES then current system. No system is heavily used; 6202 has 5 extensions, 6204 20 extensions and 6208 30 extensions. Nothing too fancy in terms of routing, IVR or time conditions. Anyway, interested in your thoughts.