CVE-2026-2329 — CRITICAL (9.8)

Q: How severe is CVE-2026-2329?

CVE-2026-2329 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-2329?

Check the references section above for vendor advisories and patch information. Affected products include: Grandstream Gxp1610 Firmware, Grandstream Gxp1610, Grandstream Gxp1615 Firmware, Grandstream Gxp1615, Grandstream Gxp1620 Firmware.

Vulnerability Description

An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Grandstream	Gxp1610 Firmware	< 1.0.7.81
Grandstream	Gxp1610	-
Grandstream	Gxp1615 Firmware	< 1.0.7.81
Grandstream	Gxp1615	-
Grandstream	Gxp1620 Firmware	< 1.0.7.81
Grandstream	Gxp1620	-
Grandstream	Gxp1625 Firmware	< 1.0.7.81
Grandstream	Gxp1625	-
Grandstream	Gxp1628 Firmware	< 1.0.7.81
Grandstream	Gxp1628	-
Grandstream	Gxp1630 Firmware	< 1.0.7.81
Grandstream	Gxp1630	-

Related Weaknesses (CWE)

CWE-121

References

https://firmware.grandstream.com/Release_Note_GXP16xx_1.0.7.81.pdfProductRelease Notes
https://github.com/rapid7/metasploit-framework/pull/20983VDB EntryPatch
https://psirt.grandstream.com/Vendor Advisory
https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stackThird Party AdvisoryVDB Entry

FAQ

What is CVE-2026-2329?

CVE-2026-2329 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remot...

How severe is CVE-2026-2329?

CVE-2026-2329 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-2329?

Check the references section above for vendor advisories and patch information. Affected products include: Grandstream Gxp1610 Firmware, Grandstream Gxp1610, Grandstream Gxp1615 Firmware, Grandstream Gxp1615, Grandstream Gxp1620 Firmware.