CVE‑2026‑2329 is a critical stack‑based buffer overflow vulnerability affecting the Grandstream GXP1600 series of VoIP desk phones. The flaw sits in the device’s web‑based API endpoint and can be exploited remotely without any authentication. If successfully exploited, an attacker can gain full remote code execution with root privileges on the phone.
Because these devices are widely deployed in offices, hotels, call centers, and small business environments, a compromise can quickly turn into a broader network security issue. VoIP phones are often overlooked from a security perspective, which makes them attractive targets.
A public Metasploit module implementing this vulnerability is available, which significantly increases the likelihood of exploitation in the near future
The vulnerable API endpoint is reachable in the default configuration, meaning an attacker does not need any special access or credentials to attempt exploitation.
If this vulnerability is not patched, an attacker could:
With a working PoC now publicly available, exploitation attempts are expected to increase.
There are currently no confirmed reports of active exploitation in the wild.
However, the availability of a PoC and the ease of exploitation make this a high‑risk situation that should be treated with urgency.
Update Firmware:
Install firmware version 1.0.7.81 or later. This update contains the official fix.
Reduce Exposure:
Until all devices are patched:
Enterprise Recommendations:
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.