A critical security vulnerability in Grandstream’s GXP1600 series VoIP phones has been disclosed as CVE-2026-2329, a buffer-overflow flaw that can give unauthenticated attackers full control of affected devices and enable remote code execution. The flaw affects all six models in the GXP1600 line and carries a CVSS v3.1 score of 9.3, underscoring the risk to SMBs, hotels, call centres and other organisations that rely on VoIP infrastructure.
A security researcher at Rapid7 discovered the vulnerability during a zero-day project and reported it to Grandstream in early January, with Grandstream publicly disclosing the issue after releasing a patch on 2 February. In worst-case scenarios, attackers could intercept SIP traffic, exfiltrate credentials including plaintext SIP passwords stored on the device, and use compromised phones as footholds for further network access, according to Rapid7.
The firm stresses that defenders should prioritise strong authentication, network segmentation and timely firmware updates, given VoIP devices’ tendency to be deployed with limited monitoring and security controls.