A serious security vulnerability in the Grandstream GXP1600 series of VoIP phones has been discovered by cybersecurity researchers, which could give an attacker access to vulnerable devices This article explores vulnerable devices cvss. . With a CVSS score of 9.3 out of a possible 10.0, the vulnerability is known as CVE-2026-2329.

A case of unauthenticated stack-based buffer overflow that may lead to remote code execution has been described. The bug was found and reported on January 6, 2026, by Rapid7 researcher Stephen Fewer. "A remote attacker can leverage CVE-2026-2329 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device," Fewer stated. The cybersecurity firm claims that the problem stems from the web-based API service ("/cgi-bin/api.values.get") on the device, which is available by default without the need for authentication.

Using a colon-delimited string in the "request" parameter (for example, "request=68:phone_model"), this endpoint is intended to retrieve one or more configuration values from the phone, such as the model or firmware version number. Each identifier is then extracted and appended to a 64-byte buffer on the stack after parsing. "Fewer clarified, "No length check is done to guarantee that no more than 63 characters (plus the appended null terminator) are ever written to this buffer when adding another character to the small 64-byte buffer."

"Therefore, an attacker-controlled'request' parameter can write past the stack's small 64-byte buffer and overflow into neighboring stack memory." This means that a stack-based buffer overflow can be caused by a malicious colon-delimited "request" parameter sent as part of an HTTP request to the "/cgi-bin/api.values.get" endpoint. This would enable the threat actors to corrupt the contents of the stack and eventually accomplish remote code execution on the underlying operating system.

Models GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 are all susceptible. A firmware update (version 1.0.7.81) that was made available late last month addressed it.

It has been shown that the vulnerability can be used to obtain root privileges on a susceptible device and combine it with a post-exploitation component to retrieve credentials from a compromised device using a Metasploit exploit module created by Rapid7. Furthermore, the attacker can effectively intercept phone calls to and from the device and eavesdrop on VoIP conversations by using the remote code execution capabilities to reconfigure the target device to use a malicious Session Initiation Protocol (SIP) proxy. In VoIP networks, a SIP proxy is a server that acts as a middleman to set up and control voice and video calls between endpoints.

Douglas McKee of Rapid7 stated, "This isn't a one-click exploit with fireworks and a victory banner."

"However, the underlying vulnerability lowers the barrier in a way that should worry anyone using these devices in environments that are exposed or have minimal segregation."