Grandstream GXP1600 VoIP Phones Face Critical RCE Vulnerability

Grandstream GXP1600 series VoIP phones suffer from CVE-2026-2329, a critical unauthenticated stack buffer overflow with CVSS score 9.3. Remote attackers gain root access via the web API endpoint “/cgi-bin/api.values.get” in default configs. No login required. Rapid7 researcher Stephen Fewer found the flaw January 6, 2026. The API parses colon-delimited “request” parameters like “68:phone_model” into a […]

The post Grandstream GXP1600 VoIP Phones Face Critical RCE Vulnerability appeared first on VPN Central.