Critical VoIP Security Flaw in Grandstream GXP1600 Phones Exposes Calls to Eavesdropping

A Critical Vulnerability in Grandstream VoIP Phones Exposes Calls to Eavesdropping

A critical vulnerability has been discovered in Grandstream’s GXP1600 series of Voice over Internet Protocol (VoIP) phones, which could allow unauthorized remote code execution and ultimately lead to the eavesdropping of phone calls.

Vulnerability Details

The vulnerability, tracked as CVE-2026-2329, is a stack-based buffer overflow with a CVSS score of 9.3, indicating a high level of severity.

The vulnerability is present in the phone’s API endpoint `/cgi-bin/api.values.get`, which is designed to retrieve a phone’s configuration details. However, the API does not properly validate the length of the input, allowing an attacker to overflow the stack buffer and execute malicious code with root privileges on the device.

Exploitation

To exploit the vulnerability, an attacker would need to craft a specific HTTP request that targets the vulnerable API endpoint. The request would need to include a parameter called “request” that contains a colon-delimited list of identifiers corresponding to certain phone details.

By manipulating this parameter, an attacker could overflow the stack buffer and execute arbitrary code on the device.

Researchers at Rapid7, who discovered the vulnerability, were able to develop a proof-of-concept exploit that leverages a return-oriented programming (ROP) chain to achieve remote code execution.

The exploit involves overwriting the return addresses of preexisting machine instruction sequences in memory to chain specific gadgets and achieve the desired execution.

Affected Devices

The vulnerability affects all models in the Grandstream GXP1600 series, including the GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

Users of these phones are advised to update their firmware to version 1.0.7.81 to fully resolve the vulnerability.

About Author

Vaibhav

See author's posts