Overview
- Rapid7 disclosed CVE-2026-2329, a stack-based buffer overflow in the web API that permits unauthenticated remote code execution as root.
- The flaw resides in /cgi-bin/api.values.get, reachable in default configurations via a colon-delimited 'request' parameter that overflows a 64-byte stack buffer.
- Metasploit modules and detailed technical write-ups are now public, lowering the barrier for attackers despite requiring exploitation skill.
- Compromise enables extraction of local and SIP credentials and reconfiguration to a malicious SIP proxy, allowing stealthy eavesdropping on calls.
- Grandstream patched the issue in firmware 1.0.7.81 for GXP1610/1615/1620/1625/1628/1630, and organizations are urged to update promptly and restrict management access.