All, Over the last few months we have uncovered a vulnerability in the HT502 that allows for theft of credentials from customer devices. I am sending this out since the issue has now been resolved in a new release of firmware BUT Grandstream have NOT sent out any kind of pro-active notifications nor included this fix in their release notes for this build. After conferring with some other sizable providers also using this device at scale, they were able to "connect the dots" on their up-tick in fraud based on our discovery. First some history: We currently have over 50,000 deployed HT502's in active customer service. Beginning in December we saw an immediate and sizable up-tick in fraud by easily an order of magnitude. Statistical analysis of the fraud showed the ONLY linking factor to be the fact that the compromised accounts were ALL using the HT502 device AND had WAN port access enabled to the device, and we as the provider were locked out (admin password changed, no longer provisioning from us on scheduled interval) After some digging and conferring with Grandstream technical gurus it was confirmed there was a buffer overflow vulnerability that would allow a remote attacker to change the admin password WITHOUT rebooting the device or otherwise having any administrative access to it. Once the password was changed the attacker could log in with the new password and complete control. On all versions prior to 1.0.5.10 the SIP credentials could be extracted from the admin website with the "Download config" option. On versions up to 1.0.8.4 the sip credentials were STILL extractable from the telnet interface if the provisioning values were known by the attacker. All of these vulnerabilities are fixed in version 1.0.9.1. I encourage you to test and deploy this version ASAP. I am sending this out in a purely advisory capacity in the hopes that education will prevent further monetary damages. Please feel free to contact me on or off list if you want to know more about this issue. -Ryan