Grandstream GXP1600 VoIP Phones CVE-2026-2329 Enables Unauthenticated Root RCE and Call Interception

Grandstream GXP1600 series VoIP phones suffer critical CVE-2026-2329 stack buffer overflow. Attackers gain root privileges remotely without authentication via web API endpoint /cgi-bin/api.values.get. Rapid7 researchers disclosed the flaw discovered January 6, 2026. CVSS score hits 9.3.

The vulnerability lives in default configuration. Malicious HTTP requests with colon-delimited “request” parameter overflow stack. Attackers execute arbitrary code as root. Phones display normal screens while compromised. Calls route through attacker SIP proxies for silent eavesdropping.

GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 models run firmware 1.0.7.79 and earlier. Grandstream patched in version 1.0.7.81 released February 3, 2026. Metasploit modules demonstrate full exploitation chain. No user interaction required.

Affected Devices Table

Model	Vulnerable Firmware	Fixed Firmware
GXP1610	≤ 1.0.7.79	1.0.7.81+
GXP1615	≤ 1.0.7.79	1.0.7.81+
GXP1620	≤ 1.0.7.79	1.0.7.81+
GXP1625	≤ 1.0.7.79	1.0.7.81+
GXP1628	≤ 1.0.7.79	1.0.7.81+
GXP1630	≤ 1.0.7.79	1.0.7.81+

Update via TFTP/HTTP central provisioning.

Attack Capabilities Post-RCE

Root access enables attackers to:

• Extract local user and SIP credentials.
• Redirect SIP traffic to malicious proxies.
• Intercept voice/video calls silently.
• Pivot to internal network from trusted phone VLAN.
• Persist via firmware modification.

Calls appear normal to users.

Technical Root Cause

API endpoint /cgi-bin/api.values.get parses “request” parameter insecurely:

GET /cgi-bin/api.values.get?request=malicious:overflow:payload HTTP/1.1
Colon delimiter triggers strcpy without bounds. Stack corruption yields shell
Rapid7 Metasploit module automates exploitation.

Network Exposure Risks

VoIP phones face unique threats:

• Default management interfaces face corporate LAN.
• Often excluded from EDR coverage.
• SIP traffic blends with legitimate calls.
• Long replacement cycles (3-5 years).

Call centers create massive attack surface.

Immediate Mitigation Steps

Deploy compensating controls now:

• Block management ports (80/443) from untrusted networks.
• Segment VoIP VLAN from data subnets.
• Centralize firmware updates via provisioning server.
• Monitor SIP REGISTER to unknown proxies.
• Disable web UI if using TR-069 management.

Audit current firmware versions across inventory.

Detection Signatures

Network signs of compromise:

User-Agent: Grandstream.*1.0.7.79
POST /cgi-bin/api.values.get HTTP/1.1
Content: request=exploit:payload

SIP anomalies:

• New proxy/registrar endpoints.
• External SIP URI registrations.
• Unusual call duration patterns.

Log all HTTP to phone management IPs.

SIP Proxy Redirection Attack

Post-exploitation sequence:

1. Gain root via buffer overflow.
2. Modify /etc/sip.conf proxy settings.
3. Route calls through attacker server.
4. Record RTP streams transparently.
5. Restore original config after session.

MITM requires no call drops.

Enterprise Impact Assessment

Environment	Risk Level	Priority
Executive phones	Critical	Update today
Call centers	Critical	Mass patching
Branch offices	High	Within 7 days
Remote workers	Medium	VPN filtering

Inventory 100% of Grandstream assets.

FAQ