Critical VoIP Phone Bug Enables Stealthy Eavesdropping (CVE-2026-2329)
▼ Summary
– A critical vulnerability (CVE-2026-2329) in Grandstream VoIP phones allows unauthenticated attackers to remotely execute code with root privileges.
– The flaw exists in the device’s web-based API due to improper bounds checking, enabling exploitation via a crafted request that triggers a buffer overflow.
– Successful exploitation can let attackers gather stored credentials and reconfigure the device to intercept and eavesdrop on phone calls.
– The vulnerability affects the entire GXP1600 series with firmware version 1.0.7.79 or earlier, and is fixed in version 1.0.7.81.
– Organizations are urged to update immediately, as public exploit details increase the risk of long-term, covert access in trusted networks.
A critical security flaw has been identified in a popular line of office phones, allowing attackers to seize complete control and secretly listen in on private conversations. Designated as CVE-2026-2329, this vulnerability exists within Grandstream’s GXP1600 series of VoIP desk phones. Researchers from Rapid7 uncovered the issue, which resides in the device’s web management interface and is exploitable in its default configuration without requiring any login credentials.
The problem originates from improper bounds checking in a web API endpoint. This technical oversight creates a buffer overflow condition. By sending a maliciously crafted request to a vulnerable phone, an unauthenticated attacker can trigger this flaw to execute arbitrary code with full root privileges. If the phone’s management interface is accessible, whether from inside a local network or, more dangerously, directly from the internet, the attack can be carried out remotely.
The implications of a successful exploit are severe. Rapid7 has developed proof-of-concept modules for the Metasploit framework that illustrate the attack chain. Once control is gained, an attacker can harvest sensitive credentials stored on the device, including local user accounts and SIP (Session Initiation Protocol) details used for call routing. Most alarmingly, as researcher Stephen Fewer explained, attackers can reconfigure the compromised phone to use a malicious SIP proxy. This allows them to transparently intercept and eavesdrop on all audio from calls made to and from the device, turning a trusted piece of office equipment into a covert listening device.
This vulnerability specifically impacts the entire Grandstream GXP1600 series, which includes models GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. The flaw is present in firmware versions 1.0.7.79 and earlier. Grandstream has addressed the issue in firmware update v1.0.7.81. These phones are commonplace in small to medium-sized businesses and corporate environments, often placed on internal networks but sometimes exposed online for remote management convenience.
Given that detailed technical information and functional exploit code are now publicly available, the urgency for remediation is high. While exploiting the bug requires some technical skill, it significantly lowers the barrier for a motivated attacker. Douglas McKee, Director of Vulnerability Intelligence at Rapid7, emphasized that the primary danger is the potential for persistent, hidden access. VoIP phones are typically trusted components of a network infrastructure and may remain in active use for many years without further security review, providing a perfect long-term foothold for espionage.
Organizations using these devices are strongly advised to immediately apply the patched firmware version. Administrators should also review network configurations to ensure the management interfaces of these phones are not unnecessarily exposed to the internet, applying network segmentation where possible to limit potential attack paths.
(Source: HelpNet Security)
