A critical vulnerability affecting Grandstream’s GXP1600 series phones could allow threat actors to intercept calls, Rapid7 reported this week.
The vulnerability, tracked as CVE-2026-2329, has been described as a stack-based buffer overflow that can be exploited by an unauthenticated attacker to remotely execute code with root privileges on the targeted device.
The GXP1600 is a line of basic VoIP desktop phones mainly used by small-to-medium businesses.
An attacker could exploit the vulnerability to extract secrets from vulnerable phones, including local and SIP account credentials, enabling call interception and eavesdropping.
“With root access, the attacker can reconfigure the device’s SIP settings to point to infrastructure they control. A malicious SIP proxy. Calls still dial. The display still lights up. The user still hears a dial tone. But now, every call flows through someone else’s hands first,” explained Douglas McKee, director of vulnerability intelligence at Rapid7.
“There’s no dramatic ‘wiretap installed’ moment. No van parked outside with antennas on the roof. Just silent, transparent interception. Conversations about contracts, negotiations, legal strategy, maybe even sensitive personal matters — all are relayed in real time,” McKee added.
However, the expert noted that “exploitation requires knowledge and skill”.
“This isn’t a one-click exploit with fireworks and a victory banner. But the underlying vulnerability lowers the barrier in a way that should concern anyone operating these devices in exposed or lightly-segmented environments,” McKee said.
Threat actors have been known to target Grandstream product vulnerabilities, including to ensnare them in botnets.
The vulnerability was responsibly disclosed to Grandstream in January and a patched firmware version (1.0.7.81) was made available in just over a week.
Rapid7 has released technical details for CVE-2026-2329. Grandstream has published its own advisory for the vulnerability.
Related: Aquabot Botnet Targeting Vulnerable Mitel Phones
Related: Pixnapping Attack Steals Data From Google, Samsung Android Phones
Related: Landfall Android Spyware Targeted Samsung Phones via Zero-Day
