Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Unauthenticated RCE in Grandstream GXP1600 /cgi-bin/api.values.get

IdentifiersCVE-2026-2329CWE-121· Stack-based Buffer Overflow

CVE-2026-2329 is a critical unauthenticated stack-based buffer overflow in the web-based HTTP API of Grandstream GXP1600-series VoIP phones. The flaw is reachable in the default configuration via the /cgi-bin/api.values.get endpoint over HTTP, where the request parameter is parsed as colon-delimited identifiers and copied into a fixed 64-byte stack buffer without proper bounds checking. Supplying an overly long attacker-controlled request value can overflow the stack, corrupt adjacent memory, and enable control of execution flow. Rapid7 reported that the vulnerable code is in the native /app/bin/gs_web component and that exploitation can be achieved remotely without authentication, resulting in remote code execution as root. The issue affects GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 devices running vulnerable firmware, with public Metasploit exploit and post-exploitation modules available. Firmware versions prior to 1.0.7.81 are described as affected in the provided content.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation provides unauthenticated remote code execution with root privileges on the phone. An attacker can fully compromise the device, execute arbitrary OS commands, extract stored secrets including local user and SIP account credentials, and reconfigure SIP settings. Post-compromise, the device can be pointed at an attacker-controlled SIP proxy, enabling interception and eavesdropping of calls in permissive SIP environments. Because these phones are often trusted, lightly monitored, and internally reachable, compromise can also provide a covert foothold for persistence, internal reconnaissance, and potential lateral movement from the voice environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, remove direct internet exposure of the phone web/API interface, restrict access to management and HTTP services to trusted administrative networks only, and segment VoIP devices from user and general-purpose subnets with strict ACLs. Monitor for unexpected access to the web interface, configuration changes, repeated reboots, new SIP proxy or registrar settings, and phones communicating with unfamiliar IPs or external DNS names. Centralize PBX/SIP logs and alert on anomalous SIP routing or configuration pushes. These are compensating controls only and do not eliminate the underlying memory corruption flaw.

Remediation

Patch, then assume compromise.

Upgrade affected Grandstream GXP1600-series devices to firmware version 1.0.7.81 or later. The provided content identifies 1.0.7.81 as the vendor fix for the vulnerability across the affected GXP16xx models. Organizations should inventory all GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 devices, identify systems running firmware earlier than 1.0.7.81, and prioritize immediate firmware updates.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Grandstream NetworksGxp1610hardware
Grandstream NetworksGxp1610 Firmwareoperating_system
Grandstream NetworksGxp1615hardware
Grandstream NetworksGxp1615 Firmwareoperating_system
Grandstream NetworksGxp1620hardware
Grandstream NetworksGxp1620 Firmwareoperating_system
Grandstream NetworksGxp1625hardware
Grandstream NetworksGxp1625 Firmwareoperating_system
Grandstream NetworksGxp1628hardware
Grandstream NetworksGxp1628 Firmwareoperating_system
Grandstream NetworksGxp1630hardware
Grandstream NetworksGxp1630 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

61 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

61 SOURCESView more in app
cyber security newsNews
Feb 28, 2026
Metasploit Adds New Modules Targeting Linux RC4, BeyondTrust, and Registry Persistence

A stack overflow vulnerability in Grandstream GXP1600 VoIP devices that can grant attackers a root session (remote code execution).

Read more
ctoatncsc substackNews
Feb 28, 2026
CTO at NCSC Summary: week ending March 1st

A critical unauthenticated stack buffer overflow in Grandstream GXP1600 VoIP phones that can be exploited to gain root privileges; Metasploit modules are available and the issue is reported as fixed.

Read more
rapid7 blogNews
Feb 27, 2026
Metasploit Wrap-Up 02/27/2026

An unauthenticated stack overflow vulnerability in Grandstream GXP1600 VoIP devices enabling remote code execution and root access; follow-on activity includes credential theft and SIP traffic interception/packet capture once access is obtained.

Read more
rapid7 blogNews
Feb 27, 2026
Metasploit Wrap-Up 02/27/2026

An unauthenticated stack overflow leading to remote code execution (root) on Grandstream GXP1600-series VoIP devices, with follow-on modules for credential theft and SIP traffic capture.

Read more
+13 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity44

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-2329
NVD
nvd.nist.gov/vuln/detail/CVE-2026-2329
MITRE CWE · CWE-121
Stack-based Buffer Overflow
Patch
github.com/rapid7/metasploit-framework/pull/20983
Vendor Advisory
psirt.grandstream.com
Third Party Advisory
rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed
Release Notes
firmware.grandstream.com/Release_Note_GXP16xx_1.0.7.81.pdf