CVE-2026-2329
published 2026-02-18CVE-2026-2329: An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
40.01%
98.4th percentile
An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grandstream | gxp1610 | <= 1.0.7.80 | — |
| grandstream | gxp1610_firmware | < 1.0.7.81 | 1.0.7.81 |
| grandstream | gxp1615 | <= 1.0.7.80 | — |
| grandstream | gxp1615_firmware | < 1.0.7.81 | 1.0.7.81 |
| grandstream | gxp1620 | <= 1.0.7.80 | — |
| grandstream | gxp1620_firmware | < 1.0.7.81 | 1.0.7.81 |
| grandstream | gxp1625 | <= 1.0.7.80 | — |
| grandstream | gxp1625_firmware | < 1.0.7.81 | 1.0.7.81 |
| grandstream | gxp1628 | <= 1.0.7.80 | — |
| grandstream | gxp1628_firmware | < 1.0.7.81 | 1.0.7.81 |
| grandstream | gxp1630 | <= 1.0.7.80 | — |
| grandstream | gxp1630_firmware | < 1.0.7.81 | 1.0.7.81 |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on post-exploitation indicators: SIP proxy reconfiguration on GXP1600-series devices and unexpected credential access, which are the primary post-exploitation actions enabled by this vulnerability. ↗
- →Check Point IPS signature 'Grandstream GXP1600 Stack Overflow (CVE-2026-2329)' can be used for network-level detection of exploitation attempts. ↗
- ·The vulnerable endpoint /cgi-bin/api.values.get is accessible without authentication in the default device configuration, meaning no credential bypass is required for exploitation. ↗
- ·Even devices not directly internet-exposed are at risk; an attacker with access to the local network can pivot to vulnerable GXP1600-series devices. ↗
- ·All six GXP1600 series models (GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, GXP1630) running firmware prior to 1.0.7.81 are affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Rapid7
CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)
blogs_rapid7·2026-05-14·CVSS 10.0
CVE-2026-20127 [CRITICAL] CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)
## Overview
While researching a critical authentication bypass vulnerability, CVE-2026-20127 , which was exploited in-the-wild , Rapid7 Labs discovered a new authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller (formerly known as vSmart), CVE-2026-20182 .
This new authentication bypass vulnerability affects the “vdaemon” service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127. The new vulnerability is not a patch bypass of CVE-2026-20127. It is a different issue located in a similar part of the “vdaemon” networking stack.
This impact however is the same, a remote unauthenticated attacker can leverage CVE-2026-20182 to become an authenticated peer of the target appliance, and perform privileged operations , such as inj
Rapid7
Metasploit Wrap-Up 02/27/2026
blogs_rapid7·2026-02-27·CVSS 8.8
CVE-2024-37032 [HIGH] Metasploit Wrap-Up 02/27/2026
## No Prob-ollama
This release brings some serious firepower with multiple new exploit modules and critical vulnerability support! The standout additions are the Ollama path traversal RCE (CVE-2024-37032), a sophisticated exploit chaining arbitrary file writes into unauthenticated root RCE, and the Grandstream GXP1600 stack overflow (CVE-2026-2329), which targets VoIP devices with accompanying credential harvesting and SIP interception post-modules.
The BeyondTrust PRA/RS module got upgraded with support for the new CVE-2026-1731 command injection vulnerability along with legacy CVE support. On the evasion front, there's fresh ARM64 RC4 encryption support with sleep-based detection bypass. Classic vulnerability modules like Unreal IRCd and vsftpd backdoors got quality-of-life improvement
Checkpoint
23rd February – Threat Intelligence Report
blogs_checkpoint·2026-02-23
CVE-2023-27532 23rd February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
France’s Ministry of Economy has disclosed a data breach resulted from an unauthorized access to the national bank account registry FICOBA, impacting information tied to 1.2 million accounts. Exposed data includes names, addresses, account identifiers and, in some cases, tax-related identifiers. Officials said the intrus
Bleepingcomputer
Flaw in Grandstream VoIP phones allows stealthy eavesdropping
blogs_bleepingcomputer·2026-02-19·CVSS 9.3
[CRITICAL] Flaw in Grandstream VoIP phones allows stealthy eavesdropping
## Flaw in Grandstream VoIP phones allows stealthy eavesdropping
## Bill Toulas
A critical vulnerability in Grandstream GXP1600 series VoIP phones allows a remote, unauthenticated attacker to gain root privileges and silently eavesdrop on communications.
VoIP communication equipment from Grandstream Networks is being used by small and medium businesses. The maker's GXP product line is part of the company's high-end offering for businesses, schools, hotels, and Internet Telephony Service Providers (ITSP) around the world.
The vulnerability is tracked as CVE-2026-2329 and received a critical severity score of 9.3. It impacts the following six models of the GXP1600 series of devices that run firmware versions prior to 1.0.7.81:
GXP1610
GXP1615
GXP1620
GXP1625
GXP1628
GXP1630
Even i
2026-02-18
Published