Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Grandstream Phone Vulnerability Exposes Calls to Interception

The flaw tracked as CVE-2026-2329 can be exploited without authentication for remote code execution with root privileges. 

VoIP phone hacking

A critical vulnerability affecting Grandstream’s GXP1600 series phones could allow threat actors to intercept calls, Rapid7 reported this week.

The vulnerability, tracked as CVE-2026-2329, has been described as a stack-based buffer overflow that can be exploited by an unauthenticated attacker to remotely execute code with root privileges on the targeted device.

The GXP1600 is a line of basic VoIP desktop phones mainly used by small-to-medium businesses. 

An attacker could exploit the vulnerability to extract secrets from vulnerable phones, including local and SIP account credentials, enabling call interception and eavesdropping.

“With root access, the attacker can reconfigure the device’s SIP settings to point to infrastructure they control. A malicious SIP proxy. Calls still dial. The display still lights up. The user still hears a dial tone. But now, every call flows through someone else’s hands first,” explained Douglas McKee, director of vulnerability intelligence at Rapid7.

“There’s no dramatic ‘wiretap installed’ moment. No van parked outside with antennas on the roof. Just silent, transparent interception. Conversations about contracts, negotiations, legal strategy, maybe even sensitive personal matters — all are relayed in real time,” McKee added.

Advertisement. Scroll to continue reading.

However, the expert noted that “exploitation requires knowledge and skill”. 

“This isn’t a one-click exploit with fireworks and a victory banner. But the underlying vulnerability lowers the barrier in a way that should concern anyone operating these devices in exposed or lightly-segmented environments,” McKee said.

Threat actors have been known to target Grandstream product vulnerabilities, including to ensnare them in botnets.  

The vulnerability was responsibly disclosed to Grandstream in January and a patched firmware version (1.0.7.81) was made available in just over a week.

Rapid7 has released technical details for CVE-2026-2329. Grandstream has published its own advisory for the vulnerability. 

Related: Aquabot Botnet Targeting Vulnerable Mitel Phones

Related: Pixnapping Attack Steals Data From Google, Samsung Android Phones

Related: Landfall Android Spyware Targeted Samsung Phones via Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

N-able has appointed Russell Rosa as Chief Revenue Officer.

Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.

F5 has appointed Cathy Peterman as Chief People Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.