Vulnerability Management, Patch/Configuration Management

Critical flaw in Grandstream GXP1600 VoIP phones could lead to call eavesdropping

(Credit: MakZin – stock.adobe.com)

A critical vulnerability was observed in Grandstream GXP1600 voice over internet protocol (VoIP) phones that could enable unauthenticated remote code execution (RCE) and ultimately lead to phone call eavesdropping, Rapid7 detailed Wednesday.

Grandstream has patched the flaw tracked as CVE-2026-2329, a stack-based buffer overflow with a CVSS score of 9.3. A crafted HTTP request an exposed API endpoint /cgi-bin/api.values.get could exploit the stack buffer overflow to execute malicious code with root privileges on the device.

Rapid7 Senior Principal Security Researcher Stephen Fewer, who first discovered the flaw, explained that the api.values.get API was designed for retrieving a phone’s configuration details. This API accepts HTTP requests that include a parameter called “request” containing a colon-delimited list of identifiers corresponding to certain phone details and responds with those details.

The function that handles requests to this endpoint allocates a 64-byte stack buffer for each identifier without checking the length, meaning an attacker could supply a “request” parameter that overflows this buffer.

To achieve RCE, the researchers needed to leverage a return-oriented programming (ROP) chain due to No Execute (NX) being enabled on the stack segment where the overflow occurs. This involves overwriting the return addresses of preexisting machine instruction sequences, or “gadgets,” in memory to chain specific gadgets to achieve the desired execution.

While the virtual addresses (VAs) used in the ROP chain required attackers to write multiple null bytes and they could only write one null byte per overflow, an attacker could achieve multiple overflows in one request by supplying multiple colon-separated identifiers.

Using this ROP chain exploit, the researchers executed arbitrary OS commands via the “system” C function and then terminate the process using the “exit” C function without causing a crash.

The researchers also developed a post-exploitation module that leverages the access provided by CVE-2026-2329 to gather local user and Session Initiation Protocol (SIP) credentials and reconfigure the phone to use an SIP proxy that intercepts calls, allowing for audio eavesdropping.

“There’s no dramatic ‘wiretap installed’ moment. No van parked outside with antennas on the roof. Just silent, transparent interception. Conversations about contracts, negotiations, legal strategy, maybe even sensitive personal matters – all are relayed in real time,” Rapid7 Director of Vulnerability Intelligence Douglas McKee said in a blog post about the exploit.

CVE-2026-2329 affects all models in the Grandstream GXP1600 series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. Users of these phones should update their firmware to version 1.0.7.81 to fully resolve the flaw.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds