Critical VoIP Security Flaw in Grandstream GXP1600 Phones Exposes Calls to Eavesdropping
Critical Vulnerability in Grandstream GXP1600 VoIP Phones Enables Call Eavesdropping
A severe vulnerability has been discovered in Grandstream GXP1600 voice over internet protocol (VoIP) phones, allowing unauthenticated remote code execution (RCE) and potentially leading to phone call eavesdropping. The flaw, tracked as CVE-2026-2329, is a stack-based buffer overflow with a CVSS score of 9.3 and has been patched by Grandstream.
Vulnerability Details
The vulnerability is located in the `/cgi-bin/api.values.get` API endpoint, which is designed to retrieve a phone’s configuration details. An attacker can exploit the stack buffer overflow by sending a crafted HTTP request with a specially crafted “request” parameter, containing a colon-delimited list of identifiers corresponding to certain phone details. The function that handles requests to this endpoint allocates a 64-byte stack buffer for each identifier without checking the length, allowing an attacker to overflow the buffer.
Exploitation
To achieve RCE, an attacker must leverage a return-oriented programming (ROP) chain due to No Execute (NX) being enabled on the stack segment where the overflow occurs. This involves overwriting the return addresses of preexisting machine instruction sequences, or “gadgets,” in memory to chain specific gadgets to achieve the desired execution.
Researchers have demonstrated the exploit by executing arbitrary OS commands via the “system” C function and then terminating the process using the “exit” C function without causing a crash. Additionally, a post-exploitation module has been developed to gather local user and Session Initiation Protocol (SIP) credentials and reconfigure the phone to use an SIP proxy that intercepts calls, allowing for audio eavesdropping.
According to Rapid7 Director of Vulnerability Intelligence Douglas McKee, “There’s no dramatic ‘wiretap installed’ moment. No van parked outside with antennas on the roof. Just silent, transparent interception. Conversations about contracts, negotiations, legal strategy, maybe even sensitive personal matters – all are relayed in real time.”
Affected Devices and Mitigation
The vulnerability affects all models in the Grandstream GXP1600 series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. Users of these phones should update their firmware to version 1.0.7.81 to fully resolve the flaw.
Conclusion
The discovery of this vulnerability highlights the importance of regular software updates and the need for organizations to prioritize vulnerability management to prevent exploitation by attackers.
About Author
English