CVE‑2026‑2329 is a critical stack‑based buffer overflow vulnerability affecting the Grandstream GXP1600 series of VoIP desk phones. The flaw sits in the device’s web‑based API endpoint and can be exploited remotely without any authentication. If successfully exploited, an attacker can gain full remote code execution with root privileges on the phone.

Because these devices are widely deployed in offices, hotels, call centers, and small business environments, a compromise can quickly turn into a broader network security issue. VoIP phones are often overlooked from a security perspective, which makes them attractive targets.

A public Metasploit module implementing this vulnerability is available, which significantly increases the likelihood of exploitation in the near future

Technical Details

    • Vulnerability type: Stack‑based buffer overflow
    • Component: Web API endpoint
    • Impact: Remote code execution as root
    • Attack vector: Remote, no authentication required
    • Severity: Critical (CVSS 9.3)
    • Affected models:
    • GXP1610
    • GXP1615
    • GXP1620
    • GXP1625
    • GXP1628
    • GXP1630
    • Affected firmware: Versions earlier than 1.0.7.81

The vulnerable API endpoint is reachable in the default configuration, meaning an attacker does not need any special access or credentials to attempt exploitation.

Risk and Impact

If this vulnerability is not patched, an attacker could:

    • Execute arbitrary code with full root privileges
    • Take complete control of the phone
    • Intercept or manipulate calls
    • Perform toll fraud or impersonate users
    • Use the compromised device as an initial access point into the internal network

With a working PoC now publicly available, exploitation attempts are expected to increase.

Exploitation Status

There are currently no confirmed reports of active exploitation in the wild.

However, the availability of a PoC and the ease of exploitation make this a high‑risk situation that should be treated with urgency.

Mitigation and Remediation

Update Firmware:

Install firmware version 1.0.7.81 or later. This update contains the official fix.

Reduce Exposure:

Until all devices are patched:

    • Ensure the phone’s web interface is not exposed to the internet
    • Place VoIP devices behind firewalls or on isolated VLANs
    • Restrict management access to trusted networks only

Enterprise Recommendations:

    • Audit all deployed GXP1600 devices and verify firmware versions
    • Monitor VoIP logs for unusual call patterns or unauthorized access attempts
    • Treat VoIP devices as part of the security perimeter, not as low‑risk appliances

 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternativelyGet in touchto find out how you can protect your organisation.

 

Contact Us