"A critical vulnerability affecting Grandstream's GXP1600 series phones could allow threat actors to intercept calls, Rapid7 reported this week. The vulnerability, tracked as CVE-2026-2329, has been described as a stack-based buffer overflow that can be exploited by an unauthenticated attacker to remotely execute code with root privileges on the targeted device. The GXP1600 is a line of basic VoIP desktop phones mainly used by small-to-medium businesses."
""With root access, the attacker can reconfigure the device's SIP settings to point to infrastructure they control. A malicious SIP proxy. Calls still dial. The display still lights up. The user still hears a dial tone. But now, every call flows through someone else's hands first," explained Douglas McKee, director of vulnerability intelligence at Rapid7. However, the expert noted that "exploitation requires knowledge and skill"."
A stack-based buffer overflow (CVE-2026-2329) in Grandstream GXP1600 phones allows unauthenticated remote code execution with root privileges. An attacker who achieves root can extract local and SIP account credentials and reconfigure SIP settings to route calls through attacker-controlled infrastructure. Calls continue to appear normal while being silently intercepted, enabling real-time eavesdropping on sensitive conversations. Exploitation requires skill but lowers the barrier in exposed or lightly-segmented environments. Grandstream devices have been targeted previously for botnets. A patched firmware (1.0.7.81) was released after responsible disclosure in January.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]