What happened
Cybersecurity researchers have disclosed a critical unauthenticated remote code execution (RCE) vulnerability, CVE-2026-2329, affecting the Grandstream GXP1600 series of Voice over IP (VoIP) phones. The flaw stems from a stack-based buffer overflow in the device’s web-API service, allowing attackers to execute arbitrary code as root without authentication.
Who is affected
All six models in the GXP1600 series, including GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630, are impacted. Devices in default configurations with web management enabled and reachable on the network are at the highest risk.
Why CISOs should care
The vulnerability carries a critical severity rating (CVSS 9.3) and enables remote, unauthenticated system compromise of an enterprise communications device. Exploitation can lead to root access, credential theft, and silent interception or manipulation of voice traffic, escalating risk to corporate communications and potentially facilitating lateral movement into broader network infrastructure.
3 practical actions
- Patch immediately: Validate and update all affected Grandstream GXP1600 phones to firmware version 1.0.7.81 or later.
- Segment and restrict: Place VoIP endpoints on dedicated VLANs and block unmanaged network access to their management interfaces.
- Harden configurations: Disable unused web interfaces, enforce strong credentials, and monitor for abnormal SIP registrations or call proxies.