Grandstream GXP1600 VoIP Phones CVE-2026-2329 Enables Unauthenticated Root RCE and Call Interception

Grandstream GXP1600 series VoIP phones suffer critical CVE-2026-2329 stack buffer overflow. Attackers gain root privileges remotely without authentication via web API endpoint /cgi-bin/api.values.get. Rapid7 researchers disclosed the flaw discovered January 6, 2026. CVSS score hits 9.3. The vulnerability lives in default configuration. Malicious HTTP requests with colon-delimited “request” parameter overflow stack. Attackers execute arbitrary code […] The post Grandstream GXP1600 VoIP Phones CVE-2026-2329 Enables Unauthenticated Root RCE and Call Interception appeared first on VPN Central.