Grandstream GXP1600 Unauthenticated Remote Code Execution (CVE-2026-2329)
Overview
Grandstream GXP1600 Unauthenticated Remote Code Execution, tracked as CVE-2026-2329, affects multiple Grandstream GXP1600 series VoIP phones. These devices are commonly deployed for business voice communications, so compromise can expose call infrastructure, device configuration, and network-adjacent access.
Vulnerability Overview
CVE-2026-2329 is an unauthenticated stack-based buffer overflow in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can exploit the vulnerable endpoint without authentication to achieve remote code execution with root privileges on the target device.
The vulnerability affects all six Grandstream GXP1600 series models identified in the advisory: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8 in NVD. Successful exploitation can allow unauthenticated remote code execution with full device-level impact.
Because VoIP phones are often deployed on internal networks and may be reachable from management segments, device compromise can create persistence, surveillance, or lateral movement risk.
Vulnerability Scope
Affected firmware versions are up to and including 1.0.7.80 for the GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 models. Grandstream release notes identify 1.0.7.81 as the fixed firmware release.
The highest-risk deployments are Grandstream GXP1600 devices with exposed HTTP management interfaces and outdated firmware.
Lab Focus
This Hackviser lab focuses on understanding how memory corruption in embedded device management APIs can become unauthenticated remote code execution. You will practice identifying affected Grandstream models, interpreting firmware fixed versions, and connecting VoIP device compromise to network hardening.