Critical VoIP Phone Vulnerability Exposes Users to Stealthy Network Attacks and Call Interception (CVE-2026-2329)

Post Views: 362

Critical Vulnerability Discovered in Grandstream VoIP Phones

A critical vulnerability in Grandstream VoIP phones has been discovered, allowing hackers to gain remote control of the devices and intercept calls. The vulnerability, tracked as CVE-2026-2329, is present in the device’s web-based API service and can be exploited without authentication.

Vulnerability Causes and Risks

According to researchers at Rapid7, the vulnerability is caused by improper bounds checking in a web management endpoint. An attacker can send a specially crafted request to the device, triggering a buffer overflow condition that enables remote code execution with root privileges. This can be done without valid credentials if the management interface is reachable, either directly or from within the network.

According to researchers at Rapid7, the vulnerability is caused by improper bounds checking in a web management endpoint.

The risks associated with CVE-2026-2329 exploitation are significant. An attacker can use the vulnerability to remotely execute code with root privileges on a vulnerable device, gather stored credentials, and reconfigure the device to use a malicious SIP proxy. This would allow the attacker to intercept phone calls to and from the device, eavesdropping on the audio.

Affected Devices and Firmware

The vulnerability affects the entire Grandstream GXP1600 series, including the GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 models. Specifically, firmware versions 1.0.7.79 and earlier are affected, while version 1.0.7.81 and later are patched.

Recommendations and Mitigation

These VoIP desk phones are widely used in small offices and corporate deployments, often on internal networks but sometimes exposed to the internet for remote administration. Given the public availability of technical information about the flaw and the release of Metasploit exploit modules, organizations using these VoIP phones are urged to apply the updated firmware as soon as possible.

The vulnerability lowers the barrier to exploitation, making it a concern for anyone operating these devices in exposed or lightly-segmented environments. VoIP phones are typically trusted by default within corporate environments and often remain in service for years with little additional scrutiny, making long-term, covert access a significant risk.

Rapid7 has developed Metasploit exploit modules to demonstrate the vulnerability and has released technical information to help organizations understand the risks. The company’s Director of Vulnerability Intelligence, Douglas McKee, emphasized the importance of applying the updated firmware, given the potential for long-term, covert access.