Bug in widely used VoIP phones allows stealthy network footholds, call interception (CVE-2026-2329)

A critical security vulnerability (CVE-2026-2329) in Grandstream VoIP phones could let hackers remotely take full control of the devices and even intercept calls, Rapid7 researchers discovered.

“The vulnerability is present in the device’s web-based API service, and is accessible in a default configuration,” Rapid7 researcher Stephen Fewer noted.

The risks related to CVE-2026-2329 exploitation

CVE-2026-2329 stems from improper bounds checking in a web management endpoint.

An attacker can send a specially crafted request to the device that triggers a buffer overflow condition, potentially enabling unauthenticated attackers to remotely execute code with root privileges on a vulnerable device.

Because the flaw does not require authentication, it can be exploited without valid credentials if the management interface is reachable (either directly, or from somewhere else inside the network).

Rapid7 has developed Metasploit exploit modules to demonstrate how attackers may leverage this vulnerability to:

• Remotely execute code with root privileges on a vulnerable device
• Gather credentials (e.g., local user and SIP accounts) stored on the device

“Finally, we can leverage our RCE capabilities to reconfigure the target device to use a malicious SIP proxy [a server that routes Session Initiation Protocol messages between devices], allowing an attacker to transparently intercept phone calls to and from the device, and eavesdrop on the audio,” Fewer explained.

What to do?

CVE-2026-2329 affects the entire Grandstream GXP1600 series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

More specifically, the flaw affects firmware versions 1.0.7.79 and earlier, and has been fixed in v1.0.7.81.

This line of VoIP desk phones is widely used in small offices and corporate deployments. These devices are often deployed on internal networks, but are sometimes exposed to the internet for remote administration.

Because detailed technical information about the flaw is publicly available and Metasploit exploit modules have been released, organizations using these VoIP phones are strongly urged to apply the updated firmware as soon as possible.

While exploitation requires knowledge and skill, the vulnerability “lowers the barrier in a way that should concern anyone operating these devices in exposed or lightly-segmented environments,” said Douglas McKee, Director of Vulnerability Intelligence at Rapid7.

He also pointed out that the main risk lies in the potential for long-term, covert access, as VoIP phones are typically trusted by default within corporate environments and often remain in service for years after deployment with little additional scrutiny.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!