Critical failure in Grandstream GXP1600 allows root access and unauthenticated calls

A serious failure in Grandstream's VoIP GXP1600 phone series allows an unauthenticated remote attacker to take control of the team with root privileges and listen to calls without the user noticing it. The problem, recorded as CVE-2026-2329 and qualified with a high severity score, affects several models of the GXP1600 range that run firmware prior to version 1.0.7.81, including the GXP1610, GXP1615, GXP1620, GXP1625, GXP1628 and GXP1630 models.

The finding was documented by Rapid7 researchers, who published a technical analysis explaining how the web interface of the phone - specifically the API service accessible in / cgi-bin / api.values.get - processes an entry called "request" formed by identifiers separated by two points. This entry is copied into a 64 byte stack buffer without checking the length, which makes it possible for an excessively long chain to overwrite adjacent memory and allows an attacker to manipulate key CPU records, including the execution direction.

The operation does not require authentication and, by its nature, can be developed without interrupting the visible operation of the phone: calls and interface continue to function normally while the attacker runs code in the system. The researchers demonstrated a functional module for Metasploit that gets remote execution of commands with root privileges, which opens the door to actions such as removing locally stored credentials, recovering SIP accounts and reconfiguring the phone to use a malicious SIP proxy that redirects or records communications.

Building the operating chain involved a technical limitation: overflow only allows to write a null byte as a terminator at each overflow event. To overcome this, the researchers took advantage of the way in which the "request" parameter is processed by identifiers separated by two points and caused the overflow repeatedly with multiple identifiers, thus introducing the necessary nils to mount a reliable performance-oriented return chain (ROP). Rapid7 explains these details and publishes both the research and the module used in its technical posts: general analysis and technical description of the EQO and mitigation.

A particular concern is that the risk is not limited to phones directly exposed to the Internet. If an attacker already has an internal network presence - for example through another committed team - he can pivot and attack the phones from within the same local network. In addition, exploitation is silent and difficult to detect without specific controls, which increases the window of time in which an opponent can collect credentials and conversations.

Grandstream posted a correction on its support site with firmware version 1.0.7.81, which solves vulnerability in the affected models; the latest version can be downloaded and verified on the company's official firmware page: Grandstream firmware support. Organizations using such equipment, usually in small and medium-sized enterprises, hotels, schools and telephone service providers, should implement the update as soon as possible.

It is not enough to install the patch: since the operation can allow side navigation and the removal of credentials, good practices recommend checking the phone settings after updating, changing sensitive passwords and checking if there are unexpectedly configured proxy or SIP servers. If there is a suspicion of commitment, it is wise to restore the device to factory values after applying the patched firmware, rotate credentials and audit network records to identify abnormal traffic or connections to unknown proxies.

If you prefer additional source on the scope and implications of vulnerability, specialized means have already covered the incident and collect technical details and recommendations: for example, Bleeping Computer's coverage of this type of failure provides context for impact in business environments ( BleepingComputer). To check the CVE public record and its rating, you can check the NVD vulnerability database: CVE-2026-2329 in NVD.

In practical terms, the key recommendations for managers and security officials are: apply version 1.0.7.81 or later in the affected models, limit access to the administrative interface and management ports from unreliable networks, segment the network so that phones do not share segment with critical assets and monitor SIP configurations and voice traffic in search of redirections to unknown proxies. In addition, including these devices in regular firmware inventory and update processes will reduce the likelihood that a similar vulnerability will remain unpatched in the future.

This incident is a reminder that convergent devices - IP phones, integrated routers and other infrastructure devices - are also valuable targets for attackers who seek to intercept communications or move laterally within corporate networks. Keeping the software up-to-date, applying access controls and auditing the configuration are simple but effective measures to reduce a risk that, although not always visible, can have serious consequences for confidentiality and service continuity.