RCE Vulnerability in Grandstream GXP1600 VoIP Phones Grandstream's GXP1600 series VoIP desk phones are vulnerable to a critical zero-day vulnerability known as CVE-2026-2329 This article explores rce vulnerability grandstream. . On a susceptible device, the problem is an unauthenticated stack-based buffer overflow that can be remotely exploited to accomplish root-level remote code execution (RCE).

All six models—GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630—are affected since the phones in the series share a common firmware image. Learn more about our penetration testing offerings. PenTest Safe coding techniques Rapid7 maps the defect to CWE-121 (stack-based buffer overflow) and rates it at CVSS v4.0 9.3 (Critical). RCE Vulnerability in Grandstream GXP1600 VoIP Phones The phone's web service/API, which is by default available over HTTP (port 80), is the weak point.

The API endpoint /cgi-bin/api.values.get is highlighted by Rapid7's analysis because it processes an attacker-controlled request parameter into a small 64-byte stack buffer without sufficient bounds checking, allowing an overflow when the input is too long. An exploit module for Metasploit that targets a GXP1630 device (source: Rapid7) Rapid7 noted in exploitation notes that contemporary mitigations are insufficient: Status of Mitigation Safety Effects NX (No-Execute) Enabled stops shellcode from running directly on the stack. Canaries in Stack Not present Stack buffer overflows are not prevented.

Position Independent Executable, or PIE Not Activated ROP exploitation is more dependable with a fixed memory layout. An exploit that exhibits unauthenticated root RCE is part of a public proof-of-concept that has been implemented as Metasploit modules. A post-exploitation module that can retrieve stored secrets from a compromised phone, including local and SIP account credentials.

Following the stack-based overflow, the process registers are displayed in a GDB session (source: Rapid7.) Rapid7 adds that in situations where the SIP infrastructure permits it, an attacker may be able to change SIP settings (such as pointing a device at a malicious SIP proxy) to enable call interception once they have code execution. To fix the problem, Grandstream released firmware version 1.0.7.81; companies should give upgrading any GXP16xx devices running older versions top priority.

Firmware 1.0.7.81 (dated 01/30/2026) is listed in Grandstream's GXP16xx release notes, which also mention that it "Fixed some security vulnerabilities," suggesting that the update is security-focused. Follow X for daily cybersecurity updates and LinkedIn. To have your stories featured, get in touch with us.