A critical zero-day vulnerability, identified as CVE-2026-2329, has been discovered in Grandstream’s GXP1600 series VoIP desk phones. This issue allows remote attackers to execute root-level code on affected devices.
Understanding the Vulnerability
The vulnerability stems from an unauthenticated stack-based buffer overflow present in the phones’ firmware, which affects all six models within the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. The flaw, rated as critical by Rapid7 with a CVSS v4.0 score of 9.3, is tied to CWE-121, indicating a stack-based buffer overflow vulnerability.
Technical Details of the Exploit
The vulnerability is located within the phone’s web service/API, specifically an API endpoint accessible via HTTP on port 80. Rapid7’s analysis pinpointed the issue at the endpoint /cgi-bin/api.values.get, where an attacker can craft a request that overflows a 64-byte stack buffer due to insufficient boundary checks.
Exploitation is facilitated by a Metasploit module, which targets the GXP1630 model among others, allowing unauthenticated attackers to gain root-level access. The exploit takes advantage of the absence of certain security mitigations, including the lack of stack canaries and position-independent executables (PIE), making the attack feasible and reliable.
Mitigation and Recommendations
In response to the vulnerability, Grandstream has issued firmware version 1.0.7.81 to mitigate the issue. Organizations using affected devices are strongly urged to update to this firmware version immediately to protect against potential exploitation.
The release notes from Grandstream, dated January 30, 2026, confirm that the update addresses several security vulnerabilities, underscoring the importance of applying the patch promptly. This update is crucial in securing the SIP infrastructure and preventing unauthorized call interceptions.
For continued updates on cybersecurity threats and solutions, follow us on Google News, LinkedIn, and X. If you have stories to feature, please contact us.
