{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2329", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "state": "PUBLISHED", "assignerShortName": "rapid7", "dateReserved": "2026-02-11T09:26:52.179Z", "datePublished": "2026-02-18T14:08:09.272Z", "dateUpdated": "2026-02-18T14:50:51.252Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "GXP1610", "vendor": "Grandstream", "versions": [{"lessThanOrEqual": "1.0.7.80", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "GXP1615", "vendor": "Grandstream", "versions": [{"lessThanOrEqual": "1.0.7.80", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "GXP1620", "vendor": "Grandstream", "versions": [{"lessThanOrEqual": "1.0.7.80", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "GXP1625", "vendor": "Grandstream", "versions": [{"lessThanOrEqual": "1.0.7.80", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "GXP1628", "vendor": "Grandstream", "versions": [{"lessThanOrEqual": "1.0.7.80", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "GXP1630", "vendor": "Grandstream", "versions": [{"lessThanOrEqual": "1.0.7.80", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Stephen Fewer, Senior Principal Security Researcher at Rapid7"}], "datePublic": "2026-02-18T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.<br>"}], "value": "An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2026-02-18T14:08:09.272Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed"}, {"tags": ["vendor-advisory"], "url": "https://psirt.grandstream.com/"}, {"tags": ["release-notes"], "url": "https://firmware.grandstream.com/Release_Note_GXP16xx_1.0.7.81.pdf"}, {"tags": ["exploit"], "url": "https://github.com/rapid7/metasploit-framework/pull/20983"}], "source": {"discovery": "UNKNOWN"}, "title": "Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T14:50:26.406047Z", "id": "CVE-2026-2329", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:50:51.252Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2329", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-18T14:50:26.406047Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:50:45.570Z"}}], "cna": {"title": "Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Stephen Fewer, Senior Principal Security Researcher at Rapid7"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Grandstream", "product": "GXP1610", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.7.80"}], "defaultStatus": "unaffected"}, {"vendor": "Grandstream", "product": "GXP1615", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.7.80"}], "defaultStatus": "unaffected"}, {"vendor": "Grandstream", "product": "GXP1620", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.7.80"}], "defaultStatus": "unaffected"}, {"vendor": "Grandstream", "product": "GXP1625", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.7.80"}], "defaultStatus": "unaffected"}, {"vendor": "Grandstream", "product": "GXP1628", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.7.80"}], "defaultStatus": "unaffected"}, {"vendor": "Grandstream", "product": "GXP1630", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.7.80"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-18T14:00:00.000Z", "references": [{"url": "https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed", "tags": ["third-party-advisory"]}, {"url": "https://psirt.grandstream.com/", "tags": ["vendor-advisory"]}, {"url": "https://firmware.grandstream.com/Release_Note_GXP16xx_1.0.7.81.pdf", "tags": ["release-notes"]}, {"url": "https://github.com/rapid7/metasploit-framework/pull/20983", "tags": ["exploit"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.", "supportingMedia": [{"type": "text/html", "value": "An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2026-02-18T14:08:09.272Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2329", "state": "PUBLISHED", "dateUpdated": "2026-02-18T14:50:51.252Z", "dateReserved": "2026-02-11T09:26:52.179Z", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "datePublished": "2026-02-18T14:08:09.272Z", "assignerShortName": "rapid7"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:grandstream:gxp1610_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "99246F81-B826-4D2F-9A82-629E64BF95EE", "versionEndExcluding": "1.0.7.81", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:grandstream:gxp1610:-:*:*:*:*:*:*:*", "matchCriteriaId": "D92122D2-AD92-4EC3-81C3-CC58C3E3C287", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:grandstream:gxp1615_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3D913E1-E682-454A-B6A9-9D8815E692B5", "versionEndExcluding": "1.0.7.81", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:grandstream:gxp1615:-:*:*:*:*:*:*:*", "matchCriteriaId": "713E836B-E61E-4E74-9026-F6470C9555F1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:grandstream:gxp1620_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "03F5647A-F0A2-44D4-AE37-36D1B26A4DD0", "versionEndExcluding": "1.0.7.81", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:grandstream:gxp1620:-:*:*:*:*:*:*:*", "matchCriteriaId": "898FC5BB-6D88-4ED3-95FE-ACFA8D99AAD7", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:grandstream:gxp1625_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CABEDD99-B978-4818-9F7D-D53089E02BE0", "versionEndExcluding": "1.0.7.81", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:grandstream:gxp1625:-:*:*:*:*:*:*:*", "matchCriteriaId": "280FCCEF-196B-4BD4-B5C2-7DECC224A84C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:grandstream:gxp1628_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "627DD526-9A9A-43BE-B060-3090FF33E741", "versionEndExcluding": "1.0.7.81", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:grandstream:gxp1628:-:*:*:*:*:*:*:*", "matchCriteriaId": "8CDF28C0-982E-4DB8-8F3A-75103F2AF9A4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:grandstream:gxp1630_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F3398B8-0265-46D4-86C1-761B068424D9", "versionEndExcluding": "1.0.7.81", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:grandstream:gxp1630:-:*:*:*:*:*:*:*", "matchCriteriaId": "63FC9463-51FD-493D-B2FD-4E61EC6B98CA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630."}, {"lang": "es", "value": "Existe una vulnerabilidad de desbordamiento de b\u00fafer basado en pila no autenticada en el endpoint de la API HTTP /cgi-bin/api.values.get. Un atacante remoto puede aprovechar esta vulnerabilidad para lograr ejecuci\u00f3n remota de c\u00f3digo (RCE) no autenticada con privilegios de root en un dispositivo objetivo. La vulnerabilidad afecta a los seis modelos de dispositivo de la serie: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628 y GXP1630."}], "id": "CVE-2026-2329", "lastModified": "2026-02-20T20:57:50.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2026-02-18T15:18:44.173", "references": [{"source": "cve@rapid7.com", "tags": ["Product", "Release Notes"], "url": "https://firmware.grandstream.com/Release_Note_GXP16xx_1.0.7.81.pdf"}, {"source": "cve@rapid7.com", "tags": ["VDB Entry", "Patch"], "url": "https://github.com/rapid7/metasploit-framework/pull/20983"}, {"source": "cve@rapid7.com", "tags": ["Vendor Advisory"], "url": "https://psirt.grandstream.com/"}, {"source": "cve@rapid7.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "cve@rapid7.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.7.80]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GXP1610", "source": "cna", "vendor": "Grandstream"}, "product": "gxp1610", "vendor": "grandstream"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.7.80]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GXP1615", "source": "cna", "vendor": "Grandstream"}, "product": "gxp1615", "vendor": "grandstream"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.7.80]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GXP1620", "source": "cna", "vendor": "Grandstream"}, "product": "gxp1620", "vendor": "grandstream"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.7.80]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GXP1625", "source": "cna", "vendor": "Grandstream"}, "product": "gxp1625", "vendor": "grandstream"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.7.80]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GXP1628", "source": "cna", "vendor": "Grandstream"}, "product": "gxp1628", "vendor": "grandstream"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.7.80]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GXP1630", "source": "cna", "vendor": "Grandstream"}, "product": "gxp1630", "vendor": "grandstream"}], "analysis": {"en": {"generated_at": "2026-04-28T17:44:46.224472+00:00", "value": {"mitigation_remediation": ["Update firmware to at least version 1.0.7.81, which contains the fix for the stack buffer overflow.", "Configure network perimeter defenses to block or restrict inbound traffic to the HTTP API ports, effectively preventing unauthenticated access.", "Monitor device logs for unusual API activity and verify that no unauthorized management sessions are established."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All six GXP series models\u2014GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630\u2014are affected.", "description_and_impact": "A stack-based buffer overflow exists in the HTTP API endpoint /cgi-bin/api.values.get on Grandstream VoIP phones. The vulnerability can be triggered without authentication and allows an attacker to execute arbitrary code with root privileges on the device.", "risk_and_exploitability": "The flaw carries a high severity CVSS score of 9.3 and an EPSS score of 32%, indicating a substantial likelihood of exploitation. While currently not listed in the CISA KEV catalog, the unauthenticated remote attack vector means any device exposed to the network can be targeted. An attacker can send a crafted HTTP request to the vulnerable endpoint, overflow the stack, and gain root-level code execution, fully compromising confidentiality, integrity, and availability of the VoIP phone."}}}}, "created": "2026-02-19T10:19:48.746960+00:00", "updated": "2026-04-28T17:45:16.146859+00:00", "vendors": ["grandstream", "grandstream$PRODUCT$gxp1610", "grandstream$PRODUCT$gxp1615", "grandstream$PRODUCT$gxp1620", "grandstream$PRODUCT$gxp1625", "grandstream$PRODUCT$gxp1628", "grandstream$PRODUCT$gxp1630"]}