CVE-2026-2329 – An unauthenticated stack-based buffer overflow ... (How to Fix)

Q: What is the severity of CVE-2026-2329?

CVE-2026-2329 has a CVSS score of 9.8 (CRITICAL). An unauthenticated stack-based buffer overflow vulnerability in Grandstream GXP1600 series VoIP phones allows remote attackers to execute arbitrary code with root privileges without authentication. This affects all six device models in the GXP16xx series. Attackers can completely compromise affected devices over the network.

📋 TL;DR

An unauthenticated stack-based buffer overflow vulnerability in Grandstream GXP1600 series VoIP phones allows remote attackers to execute arbitrary code with root privileges without authentication. This affects all six device models in the GXP16xx series. Attackers can completely compromise affected devices over the network.

💻 Affected Systems

Products:

GXP1610
GXP1615
GXP1620
GXP1625
GXP1628
GXP1630

Versions: All versions prior to 1.0.7.81

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with HTTP API enabled (default) are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover with root privileges, allowing installation of persistent malware, credential theft, lateral movement, and use as attack platform

🟠

Likely Case

Device compromise leading to eavesdropping on calls, credential harvesting, and participation in botnets

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound rules and network segmentation

🌐 Internet-Facing: HIGH - Directly exploitable over HTTP without authentication

🏢 Internal Only: HIGH - Exploitable from any network segment with access to device management interface

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Metasploit module available, making exploitation trivial for attackers with basic skills

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.7.81

Vendor Advisory: https://psirt.grandstream.com/

Restart Required: Yes

Instructions:

1. Download firmware 1.0.7.81 from Grandstream support portal. 2. Log into device web interface. 3. Navigate to Maintenance > Upgrade. 4. Upload firmware file. 5. Click Upgrade and wait for reboot.

🔧 Temporary Workarounds

Disable HTTP API

all

Disable the vulnerable HTTP API endpoint if not required

Navigate to web interface > Security > HTTP/HTTPS > Disable HTTP API

Network Access Control

linux

Restrict access to device management interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Segment VoIP devices on isolated VLAN with strict firewall rules
Implement network-based intrusion detection to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: Login > Status > System Status > Firmware Version

Check Version:

curl -s http://device-ip/cgi-bin/api.values.get?name=system.firmware.version

Verify Fix Applied:

Verify firmware version shows 1.0.7.81 or higher after upgrade

📡 Detection & Monitoring

Log Indicators:

Multiple failed HTTP requests to /cgi-bin/api.values.get
Unusual process execution in system logs
Unexpected firmware version changes

Network Indicators:

HTTP POST requests to /cgi-bin/api.values.get with large payloads
Unusual outbound connections from VoIP devices
Traffic to known exploit servers

SIEM Query:

source="voip-firewall" dest_port=80 AND uri_path="/cgi-bin/api.values.get" AND content_length>1000

📊 Metadata

CVE ID: CVE-2026-2329

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: February 18, 2026

Last Updated: February 20, 2026

🔗 References

https://firmware.grandstream.com/Release_Note_GXP16xx_1.0.7.81.pdf Product,Release Notes
https://github.com/rapid7/metasploit-framework/pull/20983 VDB Entry,Patch
https://psirt.grandstream.com/ Vendor Advisory
https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2329, you might also want to check these: