• Grandstream GXP1600 VoIP Phones Exposed to Unauthenticated Remote Code Execution Cybersecurity researchers have disclosed a critical security flaw in the Grandstream GXP1600 series of VoIP phones that could allow an attacker to seize control of susceptible devices. • The vulnerability, tracked asCVE-2026-2329, carries a CVSS score of 9.3 out of a maximum of 10.0. • It has been described as a case of unauthenticated stack-based buffer overflow that could result in remote code execution. • “A remote attacker can leverage CVE-2026-2329 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device,” Rapid7 researcher Stephen Fewer, who discovered and reported the bug on January 6, 2026,said. • According to the cybersecurity company, the issue is rooted in the device’s web-based API service ("/cgi-bin/api.values.get") and is accessible in a default configuration without requiring authentication. • This endpoint is designed to fetch one or more configuration values from the phone, such as the firmware version number or the model, through a colon-delimited string in the “request” parameter (e.g., “request=68:phone_model”), which is then parsed to extract each identifier and append it to a 64 byte buffer on the stack.

Article Summaries:

  • Cybersecurity researchers have disclosed a critical security flaw in the Grandstream GXP1600 series of VoIP phones that could allow an attacker to seize control of susceptible devices. The vulnerability, tracked as CVE-2026-2329, carries a CVSS score of 9.3 out of a maximum of 10.0. It has been described as a case of unauthenticated stack-based buffer overflow that could result in remote code execution. “A remote attacker can leverage CVE-2026-2329 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device,” Rapid7 researcher Stephen Fewer, who discovered an
  • Cybersecurity researchers have identified a critical unauthenticated remote‑code‑execution flaw (CVE‑2026‑2329) in Grandstream’s GXP1600 VoIP phone series, scoring 9.3/10 on CVSS. The vulnerability stems from a stack‑based buffer overflow in the web‑API endpoint “/cgi‑bin/api.values.get,” which accepts a colon‑delimited “request” parameter without length checks. An attacker can send a crafted request to overwrite stack memory, gain root privileges, and potentially reconfigure the device to use a malicious SIP proxy for call interception. The issue affects models GXP1610‑1630 and has been patched in firmware 1.0.7.81 released last month. Rapid7’s Metasploit module demonstrates the exploit’s feasibility.
  • A newly disclosed vulnerability (CVE‑2026‑2329) in Grandstream’s VoIP devices permits attackers to gain unauthenticated root‑level access to the devices’ firmware. The flaw exposes the entire phone infrastructure, enabling attackers to eavesdrop on calls, execute toll‑fraud schemes, and impersonate legitimate users. Because many small‑to‑medium businesses rely on Grandstream hardware for voice communications, the bug highlights a critical security blind spot in SMB VoIP deployments. Vendors and users are urged to apply the latest firmware patches immediately to mitigate the risk of widespread call interception and fraud.
  • A critical flaw (CVE‑2026‑2329) in Grandstream’s GXP1600 series VoIP phones allows an unauthenticated remote attacker to gain root privileges and silently eavesdrop on calls. The vulnerability, rated 9.3, exploits a stack overflow in the web‑based API (/cgi‑bin/api.values.get) that accepts an unbounded ‘request’ parameter. Rapid7 researchers demonstrated the exploit with a Metasploit module, showing how attackers can extract credentials and reconfigure the device to use a malicious SIP proxy. Grandstream released a fix (firmware 1.0.7.81) on February 3, and users of the affected models are urged to update immediately.
  • A critical stack‑based buffer overflow (CVE‑2026‑2329) in Grandstream’s GXP1600 VoIP phones lets an unauthenticated attacker gain root access and remotely execute code. Rapid7 warned that this could enable attackers to reconfigure SIP settings, redirect calls through malicious proxies, and extract local and SIP credentials, allowing silent call interception. The GXP1600 line is common in small‑to‑medium businesses. Grandstream received the disclosure in January and released a patched firmware (1.0.7.81) within a week. While exploitation requires skill, the lowered barrier has raised concerns for operators in exposed or lightly‑segmented environments. Grandstream has issued its own advisory.

Sources: