Executive Summary

A critical vulnerability, CVE-2026-2329, has been identified in the Grandstream GXP1600 series of VoIP phones, exposing organizations to severe risks including remote code execution, credential theft, and real-time call interception. This stack-based buffer overflow flaw, rated CVSS 9.3, allows unauthenticated attackers to gain root-level access to affected devices over the network. The vulnerability is trivial to exploit, with public Metasploit modules and proof-of-concept code already available, significantly increasing the risk of widespread exploitation. All Grandstream GXP1600 models running firmware versions prior to 1.0.7.81 are vulnerable. Immediate action is required to mitigate the risk of compromise, data leakage, and potential regulatory violations.

Technical Information

The vulnerability, tracked as CVE-2026-2329 and classified under CWE-121 (Stack-based Buffer Overflow), affects the Grandstream GXP1600 series, including models GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. The flaw resides in the /cgi-bin/api.values.get HTTP API endpoint, which is exposed by default on TCP port 80. This endpoint accepts a request parameter that is copied into a fixed-size 64-byte stack buffer without proper bounds checking. By sending a specially crafted HTTP POST request with an excessively long request value, an attacker can overwrite the stack, control the program counter, and execute arbitrary code on the device.

The attack does not require authentication or prior knowledge of device credentials. The exploit can be triggered remotely from any network segment with access to the device’s web interface. Once exploited, attackers can execute code as root, extract sensitive configuration data, implant persistent backdoors, and manipulate SIP settings to redirect or intercept calls.

A typical exploit, as demonstrated by Rapid7, involves a simple curl command:

curl -ik http://<target_ip>/cgi-bin/api.values.get --data "request=$(python -c 'print("A"*256)')"

This command sends a payload that overflows the vulnerable buffer, allowing the attacker to hijack execution flow. Public Metasploit modules automate this process, enabling even low-skilled attackers to weaponize the vulnerability at scale.

The impact of exploitation is severe. Attackers can extract SIP credentials, reconfigure the phone to use a rogue SIP proxy, intercept and record calls, and pivot into internal networks. The vulnerability also enables toll fraud, impersonation, and lateral movement within the organization.

Exploitation in the Wild

Since public disclosure, exploitation of CVE-2026-2329 has been demonstrated in controlled environments using Metasploit and custom proof-of-concept scripts. Security researchers at Rapid7 and runZero have confirmed the ease of exploitation and the availability of weaponized code. While no mass exploitation campaigns have been reported as of this writing, the trivial nature of the attack and the widespread deployment of Grandstream GXP1600 phones make opportunistic attacks highly likely.

SecurityWeek, TheHackerNews, and HelpNetSecurity have all reported on the vulnerability, emphasizing the risk of real-world exploitation. The presence of public exploit modules significantly lowers the barrier to entry for both criminal and nation-state actors.

APT Groups using this vulnerability

As of the latest intelligence, there is no confirmed attribution of CVE-2026-2329 exploitation to specific Advanced Persistent Threat (APT) groups. However, the characteristics of the vulnerability—unauthenticated remote code execution, root access, and the ability to intercept communications—make it highly attractive to both espionage-focused APTs and financially motivated cybercriminals. The rapid weaponization of the exploit in public frameworks suggests that adoption by APT groups is imminent, especially for targeting organizations in sectors where voice communications are sensitive, such as government, finance, and critical infrastructure.

Affected Product Versions

All models in the Grandstream GXP1600 series running firmware versions prior to 1.0.7.81 are affected. This includes GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. The vulnerability is present in the shared firmware image used across these models. Devices running firmware version 1.0.7.81 or later are not vulnerable.

Workaround and Mitigation

Immediate mitigation is critical. Organizations must upgrade all Grandstream GXP1600 series devices to firmware version 1.0.7.81 or later, available from the official Grandstream support portal. Firmware updates address the buffer overflow by implementing proper bounds checking and input validation.

In addition to patching, organizations should audit all GXP1600 devices for signs of compromise, such as unauthorized configuration changes, unexpected SIP proxy settings, or the presence of unknown user accounts. Network monitoring should be implemented to detect anomalous outbound connections from VoIP devices, particularly to unfamiliar SIP servers.

Where immediate patching is not possible, restrict network access to the device’s web interface using firewalls or network segmentation. Disable unnecessary services and monitor for unusual HTTP POST requests to the /cgi-bin/api.values.get endpoint.

References

For further technical details and remediation guidance, consult the following resources:

Rapid7 Technical Analysis and Exploit: https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed/

SecurityWeek Coverage: https://www.securityweek.com/critical-grandstream-phone-vulnerability-exposes-calls-to-interception/

TheHackerNews Report: https://thehackernews.com/2026/02/grandstream-gxp1600-voip-phones-exposed.html

HelpNetSecurity News: https://www.helpnetsecurity.com/2026/02/19/grandstream-voip-phones-vulnerability-cve-2026-2329/

runZero Blog: https://www.runzero.com/blog/grandstream-voip-phones/

Grandstream PSIRT: https://www.grandstream.com/support/security-center

NVD Entry for CVE-2026-2329: https://nvd.nist.gov/vuln/detail/CVE-2026-2329

Metasploit PoC: https://github.com/rapid7/metasploit-framework/pull/18600

SIP Proxy for Testing: https://github.com/rapid7/sip-proxy

Rescana is here for you

Rescana is committed to helping organizations manage third-party and supply chain cyber risk. Our advanced TPRM platform provides continuous monitoring, automated risk assessment, and actionable intelligence to help you identify and mitigate vulnerabilities across your digital ecosystem. While this advisory focuses on the Grandstream GXP1600 vulnerability, our platform is designed to help you stay ahead of emerging threats and maintain compliance with industry standards.

If you have questions about this advisory, require assistance with incident response, or would like to learn more about how Rescana can help secure your organization, please contact us at ops@rescana.com. Our team of experts is ready to support you.