Grandstream VoIP Phones Vulnerable to Silent Eavesdropping

A critical vulnerability in Grandstream's widely-deployed VoIP phone series allows remote attackers to gain root access without authentication—and from there, silently intercept calls, extract credentials, and pivot deeper into corporate networks.

Rapid7 researchers disclosed CVE-2026-2329 on February 18, revealing a stack-based buffer overflow in the GXP1600 series that carries a CVSS score of 9.3. The vulnerability exists in default configurations, requiring no special setup to exploit.

Technical Breakdown

The flaw resides in the phone's web-based API service, specifically the /cgi-bin/api.values.get endpoint. When processing HTTP POST requests, the API copies user-supplied input into a 64-byte stack buffer without performing any length validation.

According to Rapid7's analysis, "no length check is performed to ensure that no more than 63 characters" are written to the buffer. This allows attackers to overwrite adjacent stack memory and ultimately hijack the program counter.

What makes this particularly dangerous is the absence of security mitigations. The vulnerable binary (/app/bin/gs_web) lacks stack canaries and Position Independent Executable (PIE) protections. Combined with a predictable load address of 0x00008000, the conditions are ripe for Return Oriented Programming (ROP) chain attacks.

Rapid7 has already developed working Metasploit modules demonstrating successful exploitation with root privileges.

Affected Devices and Versions

All six models in the GXP1600 series share common firmware and are equally vulnerable:

Model	Status	Fixed Version
GXP1610	Vulnerable	1.0.7.81+
GXP1615	Vulnerable	1.0.7.81+
GXP1620	Vulnerable	1.0.7.81+
GXP1625	Vulnerable	1.0.7.81+
GXP1628	Vulnerable	1.0.7.81+
GXP1630	Vulnerable	1.0.7.81+

Firmware versions 1.0.7.79 and earlier are affected. Grandstream released the patched version 1.0.7.81 on February 2, 2026.

What Attackers Can Do

With root access to the phone's operating system, attackers gain extensive capabilities:

• Extract stored credentials including local admin passwords and SIP account details
• Configure malicious SIP proxies to intercept, record, or forward calls
• Persist access by modifying firmware or device configuration files
• Use compromised phones as pivot points into voice services infrastructure
• Eavesdrop on conversations without any indication to users

The eavesdropping angle is particularly concerning for organizations handling sensitive discussions—legal firms, healthcare providers, financial services, and any business where confidentiality matters.

A Pattern in Embedded Device Security

VoIP phones and similar embedded devices have historically received less security scrutiny than traditional IT infrastructure. They're often deployed by facilities teams rather than IT security, updated infrequently, and treated as "appliances" that just work.

This vulnerability fits a broader pattern. Earlier this year, ICONICS SCADA systems suffered a denial-of-service flaw that could disrupt industrial operations. CISA has repeatedly issued advisories covering ICS vulnerabilities from vendors like Siemens and Schneider Electric. The common thread: embedded systems with network exposure and weak security controls.

Grandstream phones are popular in SMB environments precisely because they're affordable and straightforward to deploy. That same accessibility means they're often installed without hardening, left on default credentials, and forgotten until something breaks.

Disclosure Timeline

Date	Event
January 6, 2026	Rapid7 contacts Grandstream
February 2, 2026	Grandstream confirms patch availability
February 18, 2026	Public disclosure

The 43-day window between initial contact and patch availability is reasonable. Organizations now have working firmware to deploy—the question is whether they'll act before attackers weaponize the public details.

Recommended Mitigations

Immediate actions:

1. Update firmware to version 1.0.7.81 or later on all GXP1600 series phones
2. Segment VoIP infrastructure from general corporate networks
3. Disable web management interfaces where not strictly required
4. Change default credentials if you haven't already

For network teams:

Review firewall rules controlling access to VoIP phone management interfaces. These endpoints shouldn't be reachable from untrusted networks. If remote management is required, implement VPN access rather than direct exposure.

Detection guidance:

Monitor for unusual HTTP POST requests to /cgi-bin/api.values.get on VoIP phone IP addresses. Abnormally long request parameter values could indicate exploitation attempts. Unexpected outbound connections from phone management interfaces warrant investigation.

Why This Matters

VoIP infrastructure sits in a security blind spot for many organizations. Phones are everywhere, often numbering in the hundreds or thousands across enterprise deployments. They handle sensitive conversations by default. And they're rarely included in vulnerability management programs with the same rigor as servers or workstations.

CVE-2026-2329 is a wake-up call. If your Grandstream phones haven't been updated since early February, the exploitation path is documented, tools exist, and attackers have every incentive to capitalize. Phone conversations are valuable—for espionage, extortion, or simply understanding a target's operations.

Check your VoIP inventory, deploy the patch, and treat these devices with the same security attention you'd give any other networked system with root-level access to your infrastructure.