A critical security flaw in Grandstream GXP1600 series VoIP phones allows remote attackers to gain full root access without needing any login credentials. This vulnerability, which is tracked as CVE-2026-2329, enables hackers to silently intercept calls and eavesdrop on private business communications.

Grandstream Networks provides communication hardware to a wide range of organizations, including small businesses, schools, and hotels globally. Their GXP product line is a primary choice for high-end office environments and internet telephony service providers. However, a significant portion of this infrastructure is now at risk due to a flaw that has been assigned a critical severity rating of 9.3. The issue specifically affects GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 models running firmware versions earlier than 1.0.7.81.

Even if these devices are tucked behind a firewall and not directly exposed to the public internet, they remain vulnerable. An attacker who has already gained access to a single computer on the local network can use that position to pivot toward the phones. Because the exploitation process is entirely silent, the device continues to function normally while the attacker maintains control. This makes detection nearly impossible for the average user or administrator without specialized monitoring tools.

Technical analysis from researchers at Rapid7 reveals that the weakness lies within the web-based API service used by the devices. Specifically, the endpoint located at /cgi-bin/api.values.get is accessible without any authentication in the default factory settings. This open door allows anyone on the network to send commands to the device's internal software, providing the initial foothold necessary for a more complex digital assault.

The core of the problem is a classic programming error involving how the API handles data. When a user sends a request parameter containing specific identifiers, the device attempts to copy that information into a small 64-byte memory buffer on the stack. The software fails to check the length of the incoming data before moving it. By sending an intentionally oversized string of characters, an attacker can overflow this buffer and overwrite nearby memory. This allows them to hijack the program counter and force the device to execute malicious code.

To prove the severity of the situation, security experts developed a working exploit module that demonstrates how easily an attacker can seize root-level privileges. This level of access grants the intruder total authority over the phone, including the ability to record audio and modify system settings. Users of the affected GXP1600 models are urged to update their firmware immediately to the latest patched version to prevent unauthorized surveillance.

Source: Grandstream VoIP Phone Vulnerability Allows Stealthy Eavesdropping