Flaw in Grandstream VoIP phones allows stealthy eavesdropping
Bleeping Computer
by Bill ToulasFebruary 19, 2026
AI-Generated Deep Dive Summary
A critical vulnerability in Grandstream GXP1600 series VoIP phones has been uncovered, allowing remote, unauthenticated attackers to gain root privileges and silently eavesdrop on communications. The flaw, tracked as CVE-2026-2329 with a severity score of 9.3, impacts six models—GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630—running firmware versions prior to 1.0.7.81. This vulnerability affects small and medium businesses, schools, hotels, and ITSPs globally.
The issue lies in the device’s web-based API service (/cgi-bin/api.values.get), which is accessible without authentication by default. The API processes a 'request' parameter containing colon-delimited identifiers but fails to perform a length check when copying characters into a 64-byte stack buffer. Attackers can exploit this to cause a stack overflow, overwriting adjacent memory and gaining control over CPU registers like the Program Counter.
Rapid7 researchers demonstrated exploitation using a Metasploit module, enabling unauthenticated remote code execution
Verticals
securitytech
Originally published on Bleeping Computer on 2/19/2026