HTTP auth password hacked for Grandstream phones?


New Member
Feb 25, 2017
Hi guys,

I use autoprovisioning GAPS from Grandstream. I set a server profile there to use fusionpbx by HTTPS with HTTP authentication, and set HTTP user/pass to let the devices be pointed to my fusionpbx server with HTTP credentials.

Today I got a distributed attack form global IPs, connecting to my fusionpbx server using valid HTTP credentials, and requesting for specific existing MACs, so config for about 6 devices were downloaded, including of course credentials for SIP accounts and started to generate traffic.

I solved stopping these IP addresses by now, but my concern is vector here are all Grandstream devices, in different customers/locations.
My concern is if GAPS was vulnerated some way, and credentials get it from there.

Any similar issue??

thanks in advance