CVE-2026-2329
Stack-Based Buffer Overflow in GXP Series HTTP API Enables Root RCE
Publication date: 2026-02-18
Last updated on: 2026-02-20
Assigner: Rapid7, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grandstream | gxp1610_firmware | to 1.0.7.81 (exc) |
| grandstream | gxp1615_firmware | to 1.0.7.81 (exc) |
| grandstream | gxp1620_firmware | to 1.0.7.81 (exc) |
| grandstream | gxp1625_firmware | to 1.0.7.81 (exc) |
| grandstream | gxp1628_firmware | to 1.0.7.81 (exc) |
| grandstream | gxp1630_firmware | to 1.0.7.81 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2329 is a critical unauthenticated stack-based buffer overflow vulnerability found in the Grandstream GXP1600 series VoIP phones, affecting six models due to shared firmware. The flaw exists in the device's web-based API service at the /cgi-bin/api.values.get endpoint, which is accessible without authentication by default."}, {'type': 'paragraph', 'content': "The vulnerability arises from improper handling of the 'request' HTTP POST parameter, which contains colon-delimited identifiers. The vulnerable function copies each identifier into a fixed-size 64-byte stack buffer without checking length, allowing an attacker to overflow this buffer by supplying an overly long identifier."}, {'type': 'paragraph', 'content': 'This overflow can overwrite adjacent stack memory, including control data such as the return address and CPU registers, enabling an attacker to control the program counter and execute arbitrary code remotely with root privileges.'}, {'type': 'paragraph', 'content': 'The vulnerable binary is a 32-bit ARM executable listening on TCP port 80. The exploit requires Return Oriented Programming (ROP) techniques due to security mitigations like non-executable stack and absence of stack canaries.'}] [1]
How can this vulnerability impact me? :
An unauthenticated remote attacker can exploit this vulnerability to achieve remote code execution with root privileges on affected Grandstream GXP1600 series devices.
Exploitation allows attackers to run arbitrary commands, extract sensitive credentials such as HTTP, SIP, and TR-069 account information, and reconfigure the device to use malicious SIP proxies.
By redirecting SIP traffic through a malicious proxy, attackers can intercept and eavesdrop on VoIP calls, compromising confidentiality and integrity of communications.
These impacts can lead to unauthorized access, data leakage, and potential disruption or manipulation of telephony services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get on Grandstream GXP1600 series devices, accessible without authentication by default. Detection can be performed by sending crafted HTTP POST requests to this endpoint and analyzing the responses.'}, {'type': 'paragraph', 'content': 'A legitimate request example to check the device and its firmware version is:'}, {'type': 'list_item', 'content': 'curl -ik http://<ip>/cgi-bin/api.values.get --data "request=68:phone_model"'}, {'type': 'paragraph', 'content': "To detect potential exploitation or test for the vulnerability, one could attempt sending an overly long 'request' parameter (e.g., 256 bytes) to see if the device crashes or behaves abnormally, indicating the buffer overflow."}, {'type': 'paragraph', 'content': 'Additionally, the HTTP service listens on TCP port 80 by default, so network scanning for open port 80 on these devices can help identify potential targets.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade the device firmware to version 1.0.7.81 or later, which fully remediates the vulnerability.'}, {'type': 'paragraph', 'content': "Until the firmware is updated, consider restricting network access to the device's HTTP service (TCP port 80) to trusted hosts only, to reduce exposure to unauthenticated remote attacks."}, {'type': 'paragraph', 'content': 'Monitor devices for unusual behavior or signs of compromise, such as unexpected reboots or presence of temporary files like /tmp/core.gz and /core, which may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'If exploitation is suspected, perform credential audits and reset device configurations, as attackers can extract credentials and reconfigure SIP proxies for eavesdropping.'}] [1, 3]