Grandstream VoIP Bug Leaves SMBs Open to Call Interception and Network Breaches

Dateline: Feb 19, 2026

How a Simple Desk Phone Can Compromise Your Entire Business Network

For many small and midsized businesses (SMBs), office phones are treated like basic utilities. You plug them in and forget about them. That mindset has just been challenged by a newly disclosed vulnerability in a widely used line of Grandstream VoIP phones. Tracked as CVE-2026-2329, the critical flaw carries a CVSS score of 9.3 and gives cybercriminals complete control over the affected devices without requiring a password.

The bug affects businesses globally, particularly hotels, call centers, and SMBs relying on Grandstream's hardware.

What Happened?

A security researcher at Rapid7 discovered a stack-based buffer overflow vulnerability in all six models of Grandstream’s GXP1600 series VoIP phones.

The vulnerability lives inside the phone's web-based API service. Specifically, the endpoint /cgi-bin/api.values.get—which normally fetches configuration details like firmware versions—sits fully exposed in the device's default configuration. By sending a maliciously crafted, colon-delimited HTTP request to this endpoint, an attacker can trigger the buffer overflow and corrupt the stack.

Because this API requires no authentication, anyone who can reach the phone over the network can exploit it. The exploit grants the attacker unauthenticated remote code execution (RCE) with root privileges. Rapid7 discovered the issue in early January 2026, and Grandstream recently released a firmware patch to address the zero-day flaw.

What's the Impact?

Once an attacker gains root access, the VoIP phone essentially becomes a fully compromised, networked computer operating under the radar. Rapid7 even built a Metasploit module demonstrating how easily an attacker can chain this flaw with post-exploitation tactics.

• Eavesdropping and Fraud: Attackers can extract user accounts and SIP credentials—often stored as plain-text passwords—straight from the device. With these details, they can configure the target device to use a malicious SIP proxy.
• Call Interception: Routing traffic through an attacker-controlled proxy allows them to secretly eavesdrop on VoIP conversations, exposing sensitive data, legal strategies, and contract negotiations.
• Network Infiltration: Security teams rarely install endpoint detection and response (EDR) software on desk phones. Because these embedded devices are often managed outside core IT, they create a massive blind spot. In many flat SMB networks, phones and employee laptops share the exact same VLAN. Attackers can use the compromised phone to scan internal systems, establish a command-and-control beacon, and pivot into the wider corporate network.

How to Avoid this

Securing VoIP infrastructure means treating phones like the network-connected computers they actually are.

• Update Firmware Immediately: Grandstream has released version 1.0.7.81 to patch CVE-2026-2329. Administrators should push this update to all GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 devices.
• Segment Your Network: Never place VoIP phones on the same network segment as workstations and servers. Move all voice infrastructure to an isolated VLAN to limit lateral movement if a device is breached.
• Restrict Network Access: Block public internet access to the phone's web management interface. Only allow trusted, internal IP addresses to communicate with the device's API services.

Voice networks are an underappreciated attack surface. By isolating these devices and applying the latest patches, organizations can shut the door on attackers looking for an easy way in.