cbcvebase.
CVE-2026-2329
published 2026-02-18

CVE-2026-2329: An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
40.01%
98.4th percentile
An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

Affected

12 ranges
VendorProductVersion rangeFixed in
grandstreamgxp1610<= 1.0.7.80
grandstreamgxp1610_firmware< 1.0.7.811.0.7.81
grandstreamgxp1615<= 1.0.7.80
grandstreamgxp1615_firmware< 1.0.7.811.0.7.81
grandstreamgxp1620<= 1.0.7.80
grandstreamgxp1620_firmware< 1.0.7.811.0.7.81
grandstreamgxp1625<= 1.0.7.80
grandstreamgxp1625_firmware< 1.0.7.811.0.7.81
grandstreamgxp1628<= 1.0.7.80
grandstreamgxp1628_firmware< 1.0.7.811.0.7.81
grandstreamgxp1630<= 1.0.7.80
grandstreamgxp1630_firmware< 1.0.7.811.0.7.81

Detection & IOCsextracted from sources · hover to see the quote

pathlinux/http/grandstream_gxp1600_unauth_rce
versionfirmware < 1.0.7.81
  • Alert on post-exploitation indicators: SIP proxy reconfiguration on GXP1600-series devices and unexpected credential access, which are the primary post-exploitation actions enabled by this vulnerability.
  • Check Point IPS signature 'Grandstream GXP1600 Stack Overflow (CVE-2026-2329)' can be used for network-level detection of exploitation attempts.
  • ·The vulnerable endpoint /cgi-bin/api.values.get is accessible without authentication in the default device configuration, meaning no credential bypass is required for exploitation.
  • ·Even devices not directly internet-exposed are at risk; an attacker with access to the local network can pivot to vulnerable GXP1600-series devices.
  • ·All six GXP1600 series models (GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, GXP1630) running firmware prior to 1.0.7.81 are affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.