On January 6, 2026 a technical analysis by Rapid7 reported a critical unauthenticated stack-based buffer overflow in the Grandstream GXP1600 series of VoIP phones that can enable remote code execution with root privileges, tracked as CVE-2026-2329 and scored 9.3 out of 10.
KEY FACTS
- Vulnerability Unauthenticated stack-based buffer overflow permits remote code execution
- CVE CVE-2026-2329, CVSS score 9.3
- Affected models GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, GXP1630
- Mitigation Firmware update version 1.0.7.81 available
The report describes the flaw as reachable through the phone web API endpoint /cgi-bin/api.values.get in a default configuration that does not require authentication.
The endpoint accepts a colon-delimited request parameter. Identifiers from that parameter are parsed and appended into a 64 byte buffer on the stack with no length check. Writing past the 64 byte buffer allows attackers to overwrite adjacent stack memory.
The report includes a demonstration using a Metasploit module that shows exploitation can yield root privileges and be chained to extract credentials. Remote code execution can also be used to reconfigure a device to use a malicious SIP proxy, enabling interception of VoIP calls.
A firmware update is available from Grandstream release notes for version 1.0.7.81 which addresses the issue. The report did not provide evidence of widespread active exploitation.
WHY IT MATTERS
The flaw allows unauthenticated remote root execution on widely deployed VoIP handsets. Devices exposed to public networks or held on lightly segmented networks could be taken over and used to intercept calls or harvest credentials unless updated.