Cybersecurity experts have uncovered a significant vulnerability in the Grandstream GXP1600 VoIP phone series, which can be exploited by attackers to gain control over affected units. This flaw, identified as CVE-2026-2329, has been assigned a critical CVSS score of 9.3, indicating its potential impact. The issue involves an unauthenticated stack-based buffer overflow that could permit remote code execution.
Details of the Security Vulnerability
The vulnerability, discovered by Rapid7 researcher Stephen Fewer, was reported on January 6, 2026. It resides in the web-based API service of the device, specifically the “/cgi-bin/api.values.get” endpoint. This service is used to retrieve configuration details like the firmware version through a colon-separated string in the “request” parameter. The problem arises due to the absence of a length check when appending characters to a 64-byte buffer, which can lead to overflow.
According to Fewer, the endpoint’s design flaw allows attackers to manipulate the “request” parameter, writing beyond the buffer’s capacity. This overflow could overwrite adjacent memory on the stack, facilitating remote code execution. As a result, threat actors could potentially compromise the device’s operating system.
Impact on Grandstream VoIP Models
This vulnerability affects several models, including GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. Grandstream addressed the issue by releasing a firmware update (version 1.0.7.81) at the end of last month. The update aims to rectify this critical security flaw.
Furthermore, Rapid7 developed a Metasploit exploit module to demonstrate how an attacker could exploit this vulnerability to gain root access. The exploit can be combined with other techniques to extract sensitive data from compromised devices.
Potential Consequences of Exploitation
The remote code execution capability enables attackers to modify the device settings, such as redirecting its connections through a compromised Session Initiation Protocol (SIP) proxy. This manipulation could allow attackers to intercept and eavesdrop on phone conversations conducted over the VoIP network. A SIP proxy acts as a mediator in VoIP systems, facilitating call setup and management.
While the exploit is not straightforward or easy to execute, the underlying vulnerability significantly reduces the security threshold for these devices, especially in environments with minimal protection. Operators of affected devices should be vigilant and apply the necessary updates to safeguard their systems.
In conclusion, the discovery of this vulnerability underlines the importance of maintaining up-to-date security measures for network-connected devices. As attackers continue to find new ways to exploit such flaws, staying informed and proactive in patching vulnerabilities is crucial for protecting sensitive communications and data.
