Grandstream VoIP Phone Vulnerability Exposes Users to Stealthy Eavesdropping Attacks
Critical Vulnerability in Grandstream VoIP Phones Enables Stealthy Eavesdropping
A critical vulnerability has been discovered in Grandstream’s GXP1600 series VoIP phones, allowing a remote, unauthenticated attacker to gain root privileges and silently eavesdrop on communications. The flaw, tracked as CVE-2026-2329, affects six models of the GXP1600 series running firmware versions prior to 1.0.7.81.
Vulnerability Details
The vulnerability is particularly concerning, as Grandstream’s VoIP equipment is widely used by small and medium-sized businesses, schools, hotels, and Internet Telephony Service Providers (ITSP) worldwide. The GXP product line is considered a high-end offering for businesses, making the discovery of this flaw especially alarming.
According to a technical report by Rapid7 researchers, the vulnerability lies in the device’s web-based API service, which is accessible without authentication in its default configuration. The API accepts a request parameter containing colon-delimited identifiers, which is parsed into a 64-byte stack buffer without performing a length check when copying characters into the buffer. This allows an attacker to cause a stack overflow by supplying overly long input, resulting in the overwrite of adjacent memory and gaining control over multiple CPU registers.
Exploitation and Impact
Rapid7 researchers developed a working Metasploit module to demonstrate the vulnerability, showcasing unauthenticated remote code execution as root. The exploitation enables arbitrary OS command execution, extraction of stored credentials of local users and SIP accounts, and reconfiguration of the device to use a malicious SIP proxy, allowing for eavesdropping on calls.
To exploit the vulnerability, an attacker must write multiple null bytes to construct a return-oriented programming (ROP) chain. However, CVE-2026-2329 only permits writing one null terminator byte during the overflow. To bypass this restriction, researchers used multiple colon-separated identifiers to trigger the overflow repeatedly and write null bytes multiple times.
Response and Recommendations
Grandstream was contacted by Rapid7 researchers on January 6 and again on January 20, but no response was received. Users of vulnerable Grandstream products are strongly advised to apply available security updates as soon as possible to prevent potential attacks.
The discovery of this vulnerability highlights the importance of prioritizing security in the development and deployment of VoIP equipment. As the use of VoIP technology continues to grow, it is essential for manufacturers to ensure that their products are secure and resilient against potential threats.
About Author
English