Grandstream GXP1600 VoIP Phones Exposed to Unauthenticated Remote Code Execution

Grandstream GXP1600 VoIP Phones Exposed to Unauthenticated Remote Code Execution

Briefly

"Cybersecurity researchers have disclosed a critical security flaw in the Grandstream GXP1600 series of VoIP phones that could allow an attacker to seize control of susceptible devices. The vulnerability, tracked as CVE-2026-2329, carries a CVSS score of 9.3 out of a maximum of 10.0. It has been described as a case of unauthenticated stack-based buffer overflow that could result in remote code execution."

"According to the cybersecurity company, the issue is rooted in the device's web-based API service ("/cgi-bin/api.values.get") and is accessible in a default configuration without requiring authentication. This endpoint is designed to fetch one or more configuration values from the phone, such as the firmware version number or the model, through a colon-delimited string in the "request" parameter (e.g., "request=68:phone_model"), which is then parsed to extract each identifier and append it to a 64 byte buffer on the stack."

""When appending another character to the small 64 byte buffer, no length check is performed to ensure that no more than 63 characters (plus the appended null terminator) are ever written to this buffer," Fewer explained. "Therefore, an attacker-controlled 'request' parameter can write past the bounds of the small 64 byte buffer on the stack, overflowing into adjacent stack memory.""