CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-2329

CVSS 9.3v4.0pub. 2026-02-18upd. 2026-02-20

An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Grandstream Gxp1610

    HW
    Grandstream
    wszystkie wersje
  • Grandstream Gxp1610 Firmware

    OS
    Grandstream
    < 1.0.7.81
  • Grandstream Gxp1615

    HW
    Grandstream
    wszystkie wersje
  • Grandstream Gxp1615 Firmware

    OS
    Grandstream
    < 1.0.7.81
  • Grandstream Gxp1620

    HW
    Grandstream
    wszystkie wersje
  • Grandstream Gxp1620 Firmware

    OS
    Grandstream
    < 1.0.7.81
  • Grandstream Gxp1625

    HW
    Grandstream
    wszystkie wersje
  • Grandstream Gxp1625 Firmware

    OS
    Grandstream
    < 1.0.7.81
  • Grandstream Gxp1628

    HW
    Grandstream
    wszystkie wersje
  • Grandstream Gxp1628 Firmware

    OS
    Grandstream
    < 1.0.7.81
  • Grandstream Gxp1630

    HW
    Grandstream
    wszystkie wersje
  • Grandstream Gxp1630 Firmware

    OS
    Grandstream
    < 1.0.7.81
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2018-17564CRITICAL9.8ten sam produkt

A Malformed Input String to /cgi-bin/delete_CA on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers t...

CVE-2018-17565CRITICAL9.8ten sam produkt

Shell Metacharacter Injection in the SSH configuration interface on Grandstream GXP16xx VoIP 1.0.4.128 phones ...

CVE-2025-28170HIGH7.6ten sam produkt

Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured w...

CVE-2020-5738HIGH8.8ten sam produkt

Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command executio...

CVE-2020-5739HIGH8.8ten sam produkt

Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command executio...