Cybersecurity researchers have disclosed a crucial security flaw within the Grandstream GXP1600 sequence of VoIP telephones that might enable an attacker to grab management of prone units.
The vulnerability, tracked as CVE-2026-2329, carries a CVSS rating of 9.3 out of a most of 10.0. It has been described as a case of unauthenticated stack-based buffer overflow that might lead to distant code execution.
“A distant attacker can leverage CVE-2026-2329 to realize unauthenticated distant code execution (RCE) with root privileges on a goal gadget,” Rapid7 researcher Stephen Fewer, who found and reported the bug on January 6, 2026, mentioned.
In line with the cybersecurity firm, the problem is rooted within the gadget’s web-based API service (“/cgi-bin/api.values.get”) and is accessible in a default configuration with out requiring authentication.
This endpoint is designed to fetch a number of configuration values from the cellphone, such because the firmware model quantity or the mannequin, by way of a colon-delimited string within the “request” parameter (e.g., “request=68:phone_model”), which is then parsed to extract every identifier and append it to a 64 byte buffer on the stack.
“When appending one other character to the small 64 byte buffer, no size test is carried out to make sure that not more than 63 characters (plus the appended null terminator) are ever written to this buffer,” Fewer defined. “Subsequently, an attacker-controlled ‘request’ parameter can write previous the bounds of the small 64 byte buffer on the stack, overflowing into adjoining stack reminiscence.”
Which means a malicious colon-delimited “request” parameter despatched as a part of an HTTP request to the “/cgi-bin/api.values.get” endpoint can be utilized to set off a stack-based buffer overflow, permitting the menace actors to deprave the stack contents and in the end obtain distant code execution on the underlying working system.
The vulnerability impacts GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 fashions. It has been addressed as a part of a firmware replace (model 1.0.7.81) launched late final month.
In a Metasploit exploit module developed by Rapid7, it has been demonstrated that the vulnerability may very well be exploited to realize root privileges on a weak gadget and chain it with a post-exploitation element to extract credentials saved on a compromised gadget.
Moreover, the distant code execution capabilities will be weaponized to reconfigure the goal gadget to make use of a malicious Session Initiation Protocol (SIP) proxy, successfully enabling the attacker to intercept cellphone calls to and from the gadget and listen in on VoIP conversations. A SIP proxy is an middleman server in VoIP networks to determine and handle voice/video calls between endpoints.
“This is not a one-click exploit with fireworks and a victory banner,” Rapid7’s Douglas McKee mentioned. “However the underlying vulnerability lowers the barrier in a method that ought to concern anybody working these units in uncovered or lightly-segmented environments.”
