PoC Publicly Disclosed: Critical Grandstream VoIP Flaw (CVSS 9.3) Grants Stealthy Root Access

If your office desks are equipped with Grandstream GXP1600 series phones, you might want to pause the hold music and update your firmware immediately. A severe zero-day vulnerability has been uncovered that could allow hackers to silently take over these devices, turning everyday office equipment into an unauthenticated backdoor.

Stephen Fewer, Senior Principal Security Researcher at Rapid7, recently published the findings of a deep-dive investigation into these popular enterprise communication devices. The report details a critical flaw that leaves the entire GXP1600 series wide open to attack.

The research focused on the web-based API service of the Grandstream GXP1600 series, which is accessible under its default configuration.

“Rapid7 Labs conducted a zero-day research project against the Grandstream GXP1600 series of Voice over Internet Protocol (VoIP) phones,” the report states. “This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-2329”.

With a CVSSv4 score of 9.3 (Critical), the flaw bypasses the need for any login credentials. The report starkly warns that “A remote attacker can leverage CVE-2026-2329 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device”.

The vulnerability stems from a weakness categorized as CWE-121: Stack-based Buffer Overflow. By crafting a malicious, colon-delimited request parameter, attackers can manipulate the memory layout of the device by sequentially writing multiple null bytes.

Once they have shaped the memory, attackers can deploy a Return-Oriented Programming (ROP) chain to take control. “We choose to create a ROP chain that will execute an arbitrary OS command via the system standard C library function, before terminating the process gracefully via the exit standard C library function to avoid crashing the process,” the researchers explain. This “graceful termination” ensures the victim remains completely unaware that their phone has been compromised.

Gaining root access to a VoIP phone gives an attacker a powerful foothold inside a corporate network. To demonstrate the real-world impact, Rapid7 developed custom Metasploit modules.

While the primary exploit module achieves remote code execution, a secondary post-exploitation module does the heavy lifting for reconnaissance. The report notes that this module “allows an attacker to gather credentials, such as local user and SIP accounts, stored on a compromised GXP1600 device”. Armed with SIP accounts, cybercriminals could intercept communications, conduct toll fraud, or pivot deeper into the organization’s infrastructure.

Because all models in the GXP1600 series share a common firmware image, the vulnerability casts a wide net. Affected models include the GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

Fortunately, Grandstream has responded to the disclosure. Administrators are strongly urged to apply the vendor-supplied firmware update, version 1.0.7.81, which is available now to “fully remediate CVE-2026-2329”.

Related Posts:

• This VoIP Service Could be Your Best Bet for Making Calls While Staying Off Hackers’ Radar
• Critical SQL Injection Vulnerability in 3CX CRM Integration
• Critical Rtpengine Flaws (CVE-2025-53399) Allow Audio Interception and Injection in VoIP Calls, PoC Publishes