A critical stack buffer overflow in Grandstream Networks GXP1600 series VoIP phones lets unauthenticated remote attackers gain root privileges and silently eavesdrop. The flaw is tracked as CVE-2026-2329 and scored 9.3.
KEY FACTS
- Incident Unauthenticated stack overflow in web API
- Severity CVE-2026-2329 rated 9.3
- Affected models GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, GXP1630
- Fix Firmware 1.0.7.81 addresses the issue
In a technical report, Rapid7 explained that the vulnerable endpoint is the device web API at /cgi-bin/api.values.get which accepts a colon delimited “request” parameter and copies it into a 64 byte stack buffer without a length check.
An attacker supplying overly long input can overflow the buffer and overwrite adjacent memory including the program counter, enabling control of execution. Researchers produced a Metasploit module that demonstrates unauthenticated remote code execution as root.
Exploitation permits writing only one null terminator per overflow. To bypass that restriction the researchers used multiple colon separated identifiers to trigger the overflow repeatedly and write multiple null bytes. Successful exploitation enables arbitrary OS command execution, extraction of stored user and SIP credentials, and reconfiguration of the device to use a malicious SIP proxy for eavesdropping.
Researchers contacted the vendor on January 6 and again on January 20. A firmware update, version 1.0.7.81 dated February 3, fixes the vulnerability and is available from the vendor support site. Devices running firmware prior to 1.0.7.81 remain vulnerable. The vulnerability can be exploited from other hosts on the same network even if the device is not directly exposed to the internet.
WHY IT MATTERS
The flaw allows silent interception of voice traffic and theft of credentials which can compromise business communications. Administrators should apply the firmware update promptly to mitigate the risk.