Critical Unauthenticated Root Vulnerability in Grandstream GXP1600 VoIP Phones
Take action: If you are using Grandstream GXP1600 phones, plan a quick update to firmware 1.0.7.81. As a first step, make sure to isolate VoIP hardware on a dedicated, firewalled VLAN and confirm that management interfaces are not reachable from untrusted networks.
Learn More
Grandstream GXP1600 series VoIP phones are vulnerable to a critical security flaw that allows unauthenticated attackers to take full control of the devices.
The flaw is tracked as CVE-2026-2329 (CVSS score 9.3), An unauthenticated stack-based buffer overflow in the /cgi-bin/api.values.get endpoint of the gs_web binary of the web-based API service which is enabled by default.
The vulnerability occurs because the application fails to perform length checks when copying the 'request' parameter into a 64-byte stack buffer. Attackers can trigger the overflow multiple times using colon-delimited identifiers to write null bytes and construct a Return Oriented Programming (ROP) chain.
Rapid7 researchers discovered that the flaw allows for remote code execution with root privileges. Because these devices are often trusted and rarely audited, they represent a significant risk for long-term persistence and lateral movement.
This vulnerability affects the entire Grandstream GXP1600 series, including models GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.
All models share a common firmware image, making them equally susceptible if they are running version 1.0.7.79 or earlier.
Grandstream released firmware version 1.0.7.81, which implements bounds checking to prevent the overflow. Organizations should immediately update all affected handsets to the latest version available on the Grandstream firmware page and should ensure that VoIP management interfaces are isolated on dedicated administrative VLANs and are never exposed to the public internet.
