Grandstream GXP1600 series unauthenticated stack-based buffer overflow remote code execution flaw (CVE-2026-2329)
Vulnerability
Summary
Hide ▲
Show ▼
The Grandstream GXP1600 series has a critical CVE-2026-2329 stack-based buffer overflow that can enable unauthenticated remote code execution on susceptible VoIP phones. The flaw affects GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 models and can lead to root privileges. Grandstream addressed the issue in firmware 1.0.7.81. A Metasploit exploit module has already demonstrated practical exploitation and post-exploitation credential access.
Related Happenings
Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)
Exploitation Wave
First: 27.02.2026 19:59
Last: 27.02.2026 19:59
Sources 1
About this happening:
More than **900 Sangoma FreePBX** instances remain **web-shell infected** after an **ongoing exploitation wave** tied to **CVE-2025-64328**. The affected systems span the **U.S.**...
Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)
Exploitation WaveAbout this happening: More than **900 Sangoma FreePBX** instances remain **web-shell infected** after an **ongoing exploitation wave** tied to **CVE-2025-64328**. The affected systems span the **U.S.**...
CISA KEV multi-product active exploitation wave (CVE-2020-7796)
Exploitation Wave
First: 18.02.2026 08:52
Last: 18.02.2026 08:52
Sources 1
About this happening:
**CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...
CISA KEV multi-product active exploitation wave (CVE-2020-7796)
Exploitation WaveAbout this happening: **CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
Timeline
-
18.02.2026 18:35 2 articles · 3mo ago
Rapid7 identifies CVE-2026-2329 in Grandstream GXP1600 phones
Technical Analysis UpdateRapid7 researcher Stephen Fewer discovered and reported CVE-2026-2329 on January 6, 2026, identifying an unauthenticated stack-based buffer overflow in the default-accessible `/cgi-bin/api.values.get` web API on Grandstream GXP1600 series VoIP phones. A crafted colon-delimited `request` parameter can overflow a 64 byte stack buffer and enable unauthenticated remote code execution with root privileges.
Show sources
- Grandstream GXP1600 VoIP Phones Exposed to Unauthenticated Remote Code Execution — thehackernews.com — 18.02.2026 18:35
- Flaw in Grandstream VoIP phones allows stealthy eavesdropping — www.bleepingcomputer.com — 19.02.2026 19:16
-
18.02.2026 18:35 1 articles · 3mo ago
Grandstream discloses CVE-2026-2329 and firmware 1.0.7.81 fix
Initial DisclosureOn February 18, 2026, Grandstream GXP1600 series models were publicly disclosed as affected by CVE-2026-2329, a critical CVSS 9.3 flaw that could let an attacker seize control of the phones through `/cgi-bin/api.values.get`. The affected models include GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630, and the issue was addressed in firmware 1.0.7.81 released late last month.
Show sources
- Grandstream GXP1600 VoIP Phones Exposed to Unauthenticated Remote Code Execution — thehackernews.com — 18.02.2026 18:35