A critical vulnerability in Grandstream’s GXP1600 series phones, tracked as CVE-2026-2329, can be exploited without authentication to remotely execute code with root privileges. The flaw is described as a stack-based buffer overflow that could allow threat actors to extract local and SIP account credentials, enabling call interception and eavesdropping.
An attacker with root access can reconfigure the device’s SIP settings to point to infrastructure they control, meaning every call could flow through another party’s hands while the user still experiences a dial tone. The vulnerability was disclosed to Grandstream in January and a patched firmware version 1.0.7[.]81 was released just over a week later, with Rapid7 providing technical details and Grandstream publishing its advisory.
According to Rapid7, exploitation requires expertise, and while not a one-click attack, the vulnerability lowers the barrier for operators in exposed environments. Threat actors have been known to target Grandstream vulnerabilities, including to ensnare devices in botnets.