Grandstream GXP1600 VoIP Phones Exposed to Unauthenticated Remote Code Execution
Source: The Hacker News
[Image: Grandstream GXP1600 series]
Overview
Cybersecurity researchers have disclosed a critical security flaw in the Grandstream GXP1600 series of VoIP phones that could allow an attacker to seize control of susceptible devices. The vulnerability is tracked as CVE‑2026‑2329 and carries a CVSS score of 9.3 (Critical).
“A remote attacker can leverage CVE‑2026‑2329 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device,” — Rapid7 researcher Stephen Fewer, who discovered and reported the bug on January 6 2026.
Vulnerability Details
- Component affected: Web‑based API service (
/cgi-bin/api.values.get) - Root cause: Unauthenticated stack‑based buffer overflow in the handling of the
requestparameter. - Mechanism:
- The endpoint accepts a colon‑delimited string (e.g.,
request=68:phone_model). - Each identifier is parsed and appended to a 64‑byte buffer on the stack.
- No length check is performed; an attacker‑controlled value can write past the buffer, corrupting adjacent stack memory.
- The endpoint accepts a colon‑delimited string (e.g.,
[Image: Exploit illustration]
When the buffer overflows, an attacker can inject shellcode that executes with root privileges, enabling full compromise of the device.
Affected Models
- GXP1610
- GXP1615
- GXP1620
- GXP1625
- GXP1628
- GXP1630
Mitigation
Grandstream released a firmware update that patches the issue:
- Firmware version: 1.0.7.81
- Download:
- Release notes:
All affected devices should be upgraded to this version as soon as possible.
Exploit Demonstration
Rapid7 published a Metasploit module that demonstrates remote code execution and post‑exploitation capabilities:
- Module:
The exploit can:
- Gain root privileges on the vulnerable phone.
- Extract stored credentials.
- Reconfigure the device to use a malicious SIP proxy, allowing interception of VoIP calls.
Impact
The ability to execute arbitrary code with root privileges poses several risks:
- Credential theft: Access to stored SIP credentials and other sensitive data.
- Call interception: By redirecting traffic to a malicious SIP proxy, attackers can eavesdrop on voice communications.
- Network pivoting: Compromised phones can be used as footholds within corporate networks, especially in environments with weak segmentation.
“This isn’t a one‑click exploit with fireworks and a victory banner,” — Rapid7’s Douglas McKee. “But the underlying vulnerability lowers the barrier in a way that should concern anyone operating these devices in exposed or lightly‑segmented environments.”