Critical Grandstream VoIP Bug Highlights SMB Security Blind Spot

A stack-based buffer overflow occurs when a program writes more data to a buffer than it can hold, causing the excess data to overwrite adjacent memory on the stack. In CVE-2026-2329, the vulnerable endpoint '/cgi-bin/api.values.get' uses a 64-byte buffer without proper length checking, allowing attackers to write past the buffer boundaries. This is critical because it requires no authentication and can be triggered remotely, giving attackers immediate root-level access to the device—the highest privilege level on the system. The CVSS score of 9.3 out of 10 reflects this severity.

Once an attacker gains root access through the buffer overflow, they can reconfigure the device's SIP (Session Initiation Protocol) settings to route calls through a malicious SIP proxy server they control. This proxy acts as an intermediary that transparently intercepts all incoming and outgoing calls without triggering any alarms or visible indicators on the phone. The user experiences normal dialing and audio, but the attacker can simultaneously listen to conversations in real-time. Additionally, with root access to the device, attackers can extract stored credentials and potentially reconfigure billing settings, enabling toll fraud by making unauthorized calls charged to the compromised organization.