CVE-2026-2329

Summary

An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

Affected Software

VendorProductVersion RangeStatus
GrandstreamGXP16100 <= 1.0.7.80affected
GrandstreamGXP16150 <= 1.0.7.80affected
GrandstreamGXP16200 <= 1.0.7.80affected
GrandstreamGXP16250 <= 1.0.7.80affected
GrandstreamGXP16280 <= 1.0.7.80affected
GrandstreamGXP16300 <= 1.0.7.80affected

Weaknesses

  • CWE-121: CWE-121 Stack-based Buffer Overflow

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References