Blog

Grandstream Default Username and Password

Grandstream Default Username and Password

If you’re staring at a Grandstream login screen right now, here’s the short version: most Grandstream devices still ship with admin as both the username and password — but a growing number of newer units use a unique password printed on a sticker on the device itself, not a shared default. Which one applies depends entirely on your device type and its manufacture date.

That distinction trips up a lot of installers, especially on mixed networks where an office might be running an older HT802 gateway alongside a brand-new UCM6304A PBX. Getting it wrong wastes time; using the wrong assumption on a production PBX can also lock you out entirely, since Grandstream’s newer security model doesn’t allow password recovery the way older firmware did.

Default Credentials by Device Type

Device Type Default Username Default Password Notes
Routers (GWN routers, older models) admin admin Default IP typically 192.168.0.60 or 192.168.2.1
GWN WiFi Access Points admin admin Set during zero-touch provisioning if using GWN Manager
Older GXP/GRP IP Phones admin admin Some legacy units still use this pattern
Newer GXP/GRP IP Phones admin Unique password on device label Newer models use admin as the login name but require a custom password created at first login
UCM62xx / UCM63xx PBX (older units) admin admin Forces a password change on first login
UCM6300A / UCM630xA Series (current) admin Unique password on device sticker Newer UCM versions print the admin password on a sticker on the bottom of the device

The safest starting point on any device you haven’t logged into before: check the physical label on the bottom or back of the unit before assuming admin/admin will work.

Why the Old admin/admin Default Is Disappearing

Grandstream has been phasing out shared default passwords across its product lines, largely in response to widespread VoIP fraud targeting exposed PBX systems. Grandstream’s own UCM security documentation warns that placing a UCM directly on a public network can expose its address and create serious security risks, which is part of why newer hardware no longer relies on a predictable password anyone could look up. If you’re provisioning a new UCM6300A, GXP2170, or similar recent model, expect to find a unique password rather than the classic admin/admin combination.

Finding Your Device’s Default IP Address

Before you can log in at all, you need the correct local IP address. Most Grandstream routers and PBX units default to an address in the 192.168.x.x range, but the exact value varies by model. The fastest ways to confirm it:

  • Check the label on the underside of the device — many current models print the IP directly on it
  • Use the LCD screen (UCM63xx and similar units have one) to view network status
  • Check your router’s connected-devices list if you don’t have physical access

Logging In for the First Time

  1. Connect the device to your network and power it on
  2. Open a browser and enter the device’s IP address
  3. Enter the username (almost always admin)
  4. Enter the password — either admin or the unique password from the device label
  5. On first login, most current firmware forces an immediate password change before granting further access

If the login page doesn’t load at all, double-check that your computer is on the same subnet as the device, since a mismatched IP range is a more common problem than wrong credentials.

Locked Out? Recovery Options

Losing access to a live PBX is more disruptive than losing access to a router, so Grandstream’s UCM series offers two recovery paths depending on whether you planned ahead:

If you configured a recovery email (recommended during initial setup): go to the UCM web UI login page, click “Forget Password,” and a recovery email will be sent to the address linked to the admin account.

If no recovery email was set: you’ll need to perform a hard factory reset from the LCD interface, then log in again using the default admin credentials. This wipes custom configuration, so it should be a last resort on a production system.

One important caveat for changed (not forgotten-at-first-login) passwords: once a UCM admin password has been deliberately changed, there is generally no way to recover the old one — a factory reset and reconfiguration is the only path back in. That’s a strong argument for documenting credentials somewhere secure the moment you set them.

Why You Should Change the Default Password Immediately

Default credentials are public information — they’re published in manufacturer manuals, third-party router-reset sites, and forums, which means any Grandstream device left on default settings and reachable from the internet is a known target. This matters more for VoIP hardware than for a typical home router, because a compromised PBX can be used to place unauthorized international calls, an expense that can run into thousands of dollars before anyone notices.

Once you’ve confirmed access, change the password immediately, disable remote web access unless you specifically need it, and restrict management access to your internal network or a VPN.

Common Mistakes Installers Make

  • Assuming admin/admin universally works — current-generation UCM and phone models increasingly ship with unique per-device passwords instead
  • Exposing the web UI directly to the internet for remote convenience, without a VPN or IP allowlist
  • Not setting a recovery email on UCM systems before something goes wrong, closing off the easiest recovery path
  • Factory-resetting a production PBX as a first troubleshooting step, losing extension and trunk configuration that then has to be rebuilt
  • Reusing the same admin password across multiple client sites, so one compromised device puts every other deployment at risk

Alternatives to Manual Password Management

For businesses managing several Grandstream devices, Grandstream’s GDMS cloud platform allows centralized provisioning and credential management rather than logging into each device individually — worth considering once you’re past a handful of units, though it does add a layer of cloud dependency that some security-conscious deployments prefer to avoid.

There’s no single universal Grandstream password anymore — the right approach is to check the physical device label first, fall back to admin/admin on older hardware, and always change the default immediately after gaining access. For PBX systems specifically, setting up a recovery email during initial configuration will save you a factory reset later. If you’re deploying Grandstream hardware for a client, treat credential hygiene as part of the installation checklist, not an afterthought.

FAQ Section

Q: What is the default Grandstream username and password? A: The default username is almost always “admin.” The default password is “admin” on older routers, gateways, and PBX units, but many current-generation devices instead use a unique password printed on a label on the device itself.

Q: How do I find my Grandstream router’s default IP address? A: Check the label on the underside of the device first. If it’s not printed there, most Grandstream routers default to an address in the 192.168.x.x range, commonly 192.168.0.60 or 192.168.2.1 depending on the model.

Q: I forgot my Grandstream UCM admin password — can I recover it? A: If you set up a recovery email during initial configuration, use the “Forget Password” link on the login page to have it emailed to you. Without a recovery email, a factory reset from the LCD menu is the only option.

Q: Can I recover a UCM password after I deliberately changed it? A: No. Once an admin password is manually changed and then forgotten, there is no recovery path other than a full factory reset, which erases your custom configuration.

Q: Why doesn’t admin/admin work on my new Grandstream phone or PBX? A: Grandstream has moved many current-generation devices to unique, per-unit passwords printed on the hardware label, as a security improvement over the older shared default.

Q: Is it safe to leave a Grandstream device on its default password? A: No. Default credentials are publicly documented, and any internet-reachable device left on defaults is a common target — particularly VoIP PBX systems, which attackers exploit to place unauthorized international calls.

Q: What should I do immediately after logging in for the first time? A: Change the default password, set up a recovery email if it’s a UCM PBX, and restrict web UI access to your internal network rather than exposing it directly to the internet.

Q: Does a factory reset always restore admin/admin as the login? A: On most devices, yes — a factory reset returns credentials to the manufacturer default. On newer units with a label-printed password, the reset restores that original label password rather than “admin.”

Visit Grandstream

Leave a Reply