Cybersecurity researchers have disclosed a crucial safety flaw within the Grandstream GXP1600 collection of VoIP telephones that would permit an attacker to grab management of prone gadgets.
The vulnerability, tracked as CVE-2026-2329, carries a CVSS rating of 9.3 out of a most of 10.0. It has been described as a case of unauthenticated stack-based buffer overflow that would end in distant code execution.
“A distant attacker can leverage CVE-2026-2329 to attain unauthenticated distant code execution (RCE) with root privileges on a goal machine,” Rapid7 researcher Stephen Fewer, who found and reported the bug on January 6, 2026, mentioned.
In keeping with the cybersecurity firm, the difficulty is rooted within the machine’s web-based API service (“/cgi-bin/api.values.get”) and is accessible in a default configuration with out requiring authentication.
This endpoint is designed to fetch a number of configuration values from the telephone, such because the firmware model quantity or the mannequin, by a colon-delimited string within the “request” parameter (e.g., “request=68:phone_model”), which is then parsed to extract every identifier and append it to a 64 byte buffer on the stack.
“When appending one other character to the small 64 byte buffer, no size examine is carried out to make sure that not more than 63 characters (plus the appended null terminator) are ever written to this buffer,” Fewer defined. “Due to this fact, an attacker-controlled ‘request’ parameter can write previous the bounds of the small 64 byte buffer on the stack, overflowing into adjoining stack reminiscence.”
Which means a malicious colon-delimited “request” parameter despatched as a part of an HTTP request to the “/cgi-bin/api.values.get” endpoint can be utilized to set off a stack-based buffer overflow, permitting the risk actors to deprave the stack contents and finally obtain distant code execution on the underlying working system.
The vulnerability impacts GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 fashions. It has been addressed as a part of a firmware replace (model 1.0.7.81) launched late final month.
In a Metasploit exploit module developed by Rapid7, it has been demonstrated that the vulnerability could possibly be exploited to achieve root privileges on a weak machine and chain it with a post-exploitation part to extract credentials saved on a compromised machine.
Moreover, the distant code execution capabilities may be weaponized to reconfigure the goal machine to make use of a malicious Session Initiation Protocol (SIP) proxy, successfully enabling the attacker to intercept telephone calls to and from the machine and snoop on VoIP conversations. A SIP proxy is an middleman server in VoIP networks to ascertain and handle voice/video calls between endpoints.
“This is not a one-click exploit with fireworks and a victory banner,” Rapid7’s Douglas McKee mentioned. “However the underlying vulnerability lowers the barrier in a manner that ought to concern anybody working these gadgets in uncovered or lightly-segmented environments.”
