Full Report
Cybersecurity researchers have disclosed a critical security flaw in the Grandstream GXP1600 series of VoIP phones that could allow an attacker to seize control of susceptible devices. The vulnerability, tracked as CVE-2026-2329, carries a CVSS score of 9.3 out of a maximum of 10.0. It has been described as a case of unauthenticated stack-based buffer overflow that could result in remote code
Analysis Summary
# Vulnerability: Grandstream GXP1600 Series Unauthenticated RCE
## CVE Details
- **CVE ID:** CVE-2026-2329
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Grandstream GXP1600 series VoIP phones
- **Versions:** All firmware versions prior to 1.0.7.81
- **Affected Models:** GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630
- **Configurations:** Vulnerable in default configurations via the web-based API service.
## Vulnerability Description
The flaw exists within the `/cgi-bin/api.values.get` endpoint of the device's web API. This endpoint processes a "request" parameter containing colon-delimited strings to fetch configuration values. The application fails to perform a length check when copying these identifiers into a fixed 64-byte stack buffer. By sending a specially crafted, overlong string in the "request" parameter, an unauthenticated attacker can overflow the stack, overwrite adjacent memory, and redirect execution flow to achieve Remote Code Execution (RCE) with root privileges.
## Exploitation
- **Status:** PoC available (Metasploit exploit module developed by Rapid7)
- **Complexity:** Medium (described by researchers as "lowering the barrier" for attackers)
- **Attack Vector:** Network (Remote, unauthenticated)
## Impact
- **Confidentiality:** High (Ability to extract stored credentials and eavesdrop on VoIP calls via SIP proxy reconfiguration)
- **Integrity:** High (Full control over device configuration and operating system with root privileges)
- **Availability:** High (Potential to crash the device or render it inoperable)
## Remediation
### Patches
- **Firmware Version 1.0.7.81:** Users should update affected devices to this version or later immediately.
### Workarounds
- **Network Segmentation:** Isolate VoIP phones on a dedicated VLAN and restrict access to the web management interface using firewalls or ACLs.
- **Disable Web Access:** If not required for daily operations, disable the web-based administration/API service.
## Detection
- **Indicators of Compromise:**
- Unusual HTTP POST/GET requests to `/cgi-bin/api.values.get` containing excessively long strings in the "request" parameter.
- Unauthorized changes to SIP proxy settings or device configuration.
- Unexplained device reboots or service crashes.
- **Detection Methods:**
- Monitor web server logs for the specific API endpoint.
- Use IDS/IPS signatures designed to detect buffer overflow patterns in HTTP parameters directed at Grandstream devices.
## References
- **Vendor Advisory:** hxxps[://]firmware[.]grandstream[.]com/Release_Note_GXP16xx_1.0.7.81[.]pdf
- **Researcher Disclosure:** hxxps[://]www[.]rapid7[.]com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed/
- **Metasploit Module:** hxxps[://]github[.]com/rapid7/metasploit-framework/pull/20983