Grandstream GXP1600 vulnerability (CVE-2026-2329): Rapid7 Labs has disclosed a critical unauthenticated stack‑based buffer overflow in the Grandstream GXP1600 series that enables unauthenticated remote root code execution. Exploitation can allow attackers to extract credentials, install a malicious SIP proxy and silently intercept calls. Grandstream released firmware 1.0.7.81 to remediate the issue; apply the update immediately.
Key takeaways: 1) CVSSv4 9.3 — critical unauthenticated RCE; 2) affects all GXP1600 models that share the same firmware; 3) vendor fix available (1.0.7.81); 4) isolate VoIP devices and rotate credentials after patching.
Background
Rapid7 Labs published detailed analysis on 18 February 2026. The defect resides in an unauthenticated web API present in the default firmware image used across the GXP1600 family (GXP1610–GXP1630), so all models are affected. Grandstream’s PSIRT confirms the vulnerability and provides firmware 1.0.7.81 as the vendor remediation.
Because the vulnerable API is reachable in many default deployments, organisations that expose VoIP devices or place them on flat networks face immediate risk; network segmentation and access controls are critical mitigations.
Technical details
The flaw is an input‑validation error in a web API endpoint that returns configuration values; a specially crafted HTTP request triggers a stack buffer overflow (CWE‑121) that yields unauthenticated remote code execution as root. Rapid7 provides exploit proof‑of‑concept code and a Metasploit module demonstrating exploitation, and documents post‑exploit modules that extract local and SIP credentials and reconfigure device settings.
Impactable configurations include default deployments where web management is enabled and management‑plane access is not restricted. CVSSv4: 9.3 (Critical).
Impact
Unauthenticated remote root execution on VoIP phones produces high operational and privacy impact. Attackers who exploit CVE‑2026‑2329 can:
- Extract stored credentials (local admin, SIP accounts) and reuse them across networks;
- Install or configure a malicious SIP proxy to silently intercept, record or forward calls;
- Persist access by modifying firmware or device files;
- Pivot from compromised phones to voice‑services infrastructure if segmentation is weak.
Because the vulnerable endpoint is enabled by default, large numbers of devices could be compromised remotely at scale until firmware is applied.
What to do now
- Apply the patch: Immediately install Grandstream firmware 1.0.7.81 on all affected GXP1600 devices.
- Isolate and segment: Move VoIP phones to a management VLAN and block administrative access from untrusted networks.
- Harden management: Disable web management where possible, enforce strong local credentials and limit SIP peers to known endpoints.
- Rotate credentials: Reset device admin and SIP account passwords after patching.
- Detect: Monitor for unexpected SIP peers, anomalous outbound SIP traffic, and signs of a malicious SIP proxy (call forwarding rules, unknown proxies).
- Investigate: If compromise is suspected, collect device images and configuration files for forensic review.
Sources
- Rapid7 Labs — CVE‑2026‑2329: analysis and PoC
- Grandstream PSIRT — vendor advisory and firmware downloads
- Security.NL — related coverage
IOCs & technical references
Extracted indicators and technical references (escaped):
CVE: CVE-2026-2329
NVD: nvd[.]nist[.]gov/vuln/detail/CVE-2026-2329
Vendor firmware: https://www[.]grandstream[.]com/support/firmware (fixed in 1.0.7.81)
Observed vulnerable firmware (example): 1.0.7.79
Metasploit PoC (Rapid7): github[.]com/rapid7/metasploit-framework/pull/20983
Affected models: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, GXP1630
Forensic artifacts: extracted credentials, device config files, SIP peer listings, call proxy settings
Note: do not operationally share exploit code or unverified device hashes; use vendor resources and verified PoCs in controlled labs only.
