Users Can Run Malicious Code on Certain IP Phones

Summary

An attacker can exploit a weakness in certain IP phone models to execute malicious code with super user privileges. This affects multiple models, including the GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. Update the phone's software to the latest version to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
grandstream	gxp1610_firmware	<= 1.0.7.81	–
grandstream	gxp1615_firmware	<= 1.0.7.81	–
grandstream	gxp1620_firmware	<= 1.0.7.81	–
grandstream	gxp1625_firmware	<= 1.0.7.81	–
grandstream	gxp1628_firmware	<= 1.0.7.81	–
grandstream	gxp1630_firmware	<= 1.0.7.81	–

Original title

An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated re...

Original description

An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

nvd CVSS3.1 9.8

nvd CVSS4.0 9.3

Vulnerability type

CWE-121 Stack-based Buffer Overflow

https://firmware.grandstream.com/Release_Note_GXP16xx_1.0.7.81.pdf Product Release Notes
https://github.com/rapid7/metasploit-framework/pull/20983 VDB Entry Patch
https://psirt.grandstream.com/ Vendor Advisory
https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack... Third Party Advisory VDB Entry