A critical security flaw discovered in the Grandstream GXP1600 series of VoIP phones, tracked as CVE-2026-2329, has the potential to allow attackers unauthorized root access and remote code execution. This vulnerability, rated with a severe CVSS score of 9.3 out of 10, affects millions of enterprise and small business communication devices worldwide.
Cybersecurity researchers at Rapid7 disclosed the vulnerability on January 6, 2026, highlighting its unauthenticated nature and the significant risks it poses to network security. The bug is embedded within the devices’ web-based API service, specifically the “/cgi-bin/api.values.get” endpoint, which is accessible by default without any form of authentication in many configurations.
Grandstream VoIP Phones Vulnerable to Remote Code Execution
The discovered vulnerability, CVE-2026-2329, stems from a flaw in how the Grandstream GXP1600 series handles requests to its API. According to Rapid7 researcher Stephen Fewer, who reported the bug, an attacker can exploit this by sending a specially crafted “request” parameter to the “/cgi-bin/api.values.get” endpoint. This parameter is supposed to fetch configuration details, but the API fails to adequately check the length of the data it receives.
As a result, an attacker-controlled string within the “request” parameter can overflow a small 64-byte buffer on the device’s stack. This overflow corrupts adjacent memory, enabling the attacker to execute arbitrary code on the phone with root privileges. This level of access allows for complete control over the device.
The affected models include the GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. These devices are commonly used in various business environments for voice over IP (VoIP) communication, making the scope of this vulnerability potentially widespread.
Implications of the Grandstream Vulnerability
The implications of CVE-2026-2329 are significant for enterprise security. With root privileges, an attacker can not only take full control of the VoIP phone but also leverage this access for further malicious activities. Rapid7 has developed a Metasploit exploit module that demonstrates how this vulnerability can be used to extract stored credentials from compromised devices.
Furthermore, the remote code execution capabilities of the flaw can be weaponized to reconfigure the affected VoIP phones. Attackers could potentially redirect all phone calls through a malicious Session Initiation Protocol (SIP) proxy. This would allow them to intercept calls, eavesdrop on conversations, and gain clandestine access to sensitive voice data, posing a serious threat to business privacy and integrity.
“This isn’t a one-click exploit with fireworks and a victory banner,” Rapid7’s Douglas McKee commented on the nature of the exploit. “But the underlying vulnerability lowers the barrier in a way that should concern anyone operating these devices in exposed or lightly-segmented environments.”
Grandstream addressed the vulnerability by releasing a firmware update, version 1.0.7.81, which was made available late last month. Organizations are strongly advised to update the firmware on all Grandstream GXP1600 series VoIP phones to the latest version to mitigate the risks associated with this critical security flaw. Failure to do so could leave their communication infrastructure open to serious breaches and unauthorized surveillance.