The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-2329

CVE-2026-2329: GXP Series VoIP Phones RCE Vulnerability

CVE-2026-2329 is a critical unauthenticated remote code execution flaw in GXP series VoIP phones. Attackers can exploit a buffer overflow to gain root access. This article covers technical details, affected models, and mitigation.

Published: February 20, 2026

CVE-2026-2329 Overview

An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get of Grandstream GXP1600 series VoIP phones. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. This critical firmware vulnerability affects all six device models in the GXP1600 series and requires no authentication to exploit.

Critical Impact

Unauthenticated remote attackers can achieve complete device compromise with root-level code execution on vulnerable Grandstream VoIP phones via network-accessible HTTP API.

Affected Products

  • Grandstream GXP1610
  • Grandstream GXP1615
  • Grandstream GXP1620
  • Grandstream GXP1625
  • Grandstream GXP1628
  • Grandstream GXP1630

Discovery Timeline

  • 2026-02-18 - CVE-2026-2329 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-2329

Vulnerability Analysis

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), a memory corruption flaw that occurs when data written to a stack-allocated buffer exceeds its intended size. In the context of CVE-2026-2329, the vulnerable endpoint /cgi-bin/api.values.get fails to properly validate the length of user-supplied input before copying it to a fixed-size buffer on the stack.

The network-accessible nature of this vulnerability is particularly concerning for enterprise environments where VoIP phones are commonly deployed. Since the HTTP API endpoint requires no authentication, any attacker with network access to the device can craft malicious requests to trigger the overflow condition. Successful exploitation overwrites critical stack data including the return address, allowing attackers to redirect program execution to arbitrary code.

Root Cause

The root cause is insufficient input validation in the HTTP API handler for the /cgi-bin/api.values.get endpoint. The vulnerable code path accepts user-controlled data via HTTP requests and copies this data into a stack-allocated buffer without proper bounds checking. This classic stack buffer overflow pattern allows attackers to write beyond the buffer's boundary, corrupting adjacent stack memory including saved return addresses and other control data.

Attack Vector

The attack vector is network-based with no authentication required. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the /cgi-bin/api.values.get endpoint containing an oversized payload. The payload overflow corrupts the stack, and by carefully controlling the overflow data, an attacker can achieve arbitrary code execution with root privileges. The low attack complexity and lack of required user interaction make this vulnerability particularly dangerous for internet-exposed or poorly segmented VoIP deployments.

A Metasploit module has been developed for this vulnerability, as indicated by the GitHub Metasploit Pull Request. This significantly lowers the barrier to exploitation, making immediate patching critical for affected organizations.

Detection Methods for CVE-2026-2329

Indicators of Compromise

  • Unusual HTTP requests to /cgi-bin/api.values.get with abnormally large parameter values or request bodies
  • Unexpected network connections originating from GXP1600 series VoIP phones to external IP addresses
  • Device crashes, reboots, or unexpected behavior following HTTP requests to the API endpoint
  • Signs of reverse shell connections or unauthorized remote access sessions from VoIP phone IP addresses

Detection Strategies

  • Implement network-based intrusion detection rules to monitor for oversized HTTP requests to Grandstream device API endpoints
  • Deploy web application firewall (WAF) rules to block requests with excessively long parameters targeting /cgi-bin/api.values.get
  • Monitor network traffic for unusual patterns from VoIP phone subnets, including outbound connections on unexpected ports
  • Analyze HTTP access logs for repeated requests to vulnerable endpoints from suspicious source addresses

Monitoring Recommendations

  • Enable comprehensive logging on network devices monitoring VoIP traffic segments
  • Configure SIEM alerts for anomalous HTTP request patterns targeting embedded device management interfaces
  • Establish baseline network behavior for VoIP phones and alert on deviations indicating potential compromise
  • Monitor for firmware modification attempts or unauthorized configuration changes on GXP1600 devices

How to Mitigate CVE-2026-2329

Immediate Actions Required

  • Update all Grandstream GXP1600 series devices to firmware version 1.0.7.81 or later immediately
  • Isolate vulnerable VoIP phones on dedicated network segments with restricted internet access
  • Implement network access controls to limit which systems can communicate with VoIP phone management interfaces
  • Audit network configurations to ensure VoIP devices are not directly exposed to untrusted networks

Patch Information

Grandstream has released a security patch addressing this vulnerability. Organizations should update to firmware version 1.0.7.81 or later as documented in the Grandstream Firmware Release Notes. Additional security advisories and guidance are available through the Grandstream PSIRT Portal. For detailed technical analysis of this vulnerability, refer to the Rapid7 Blog CVE-2026-2329 Analysis.

Workarounds

  • Implement strict network segmentation to prevent untrusted systems from accessing VoIP phone management interfaces
  • Deploy firewall rules blocking external access to HTTP/HTTPS ports on GXP1600 series devices
  • Configure access control lists (ACLs) to restrict management interface access to authorized administrative workstations only
  • Consider disabling the HTTP management interface if not required for operational purposes
bash
# Example firewall rule to restrict access to VoIP phone management (iptables)
# Replace 192.168.10.0/24 with your VoIP subnet and 10.0.0.5 with admin workstation IP
iptables -A FORWARD -d 192.168.10.0/24 -p tcp --dport 80 -s ! 10.0.0.5 -j DROP
iptables -A FORWARD -d 192.168.10.0/24 -p tcp --dport 443 -s ! 10.0.0.5 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechGrandstream
  • SeverityCRITICAL
  • CVSS Score9.3
  • EPSS Probability0.09%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-121
  • Technical References
  • Grandstream Firmware Release Notes
  • GitHub Metasploit Pull Request
  • Grandstream PSIRT Portal
  • Rapid7 Blog CVE-2026-2329 Analysis
  • Related CVEs
  • CVE-2020-5722: Grandstream UCM6200 SQLi Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English