Critical Grandstream Phone Vulnerability Exposes Calls to Interception

A critical vulnerability affecting Grandstream’s GXP1600 series phones could allow threat actors to intercept calls, Rapid7 reported this week.

The vulnerability, tracked as CVE-2026-2329, has been described as a stack-based buffer overflow that can be exploited by an unauthenticated attacker to remotely execute code with root privileges on the targeted device.

The GXP1600 is a line of basic VoIP desktop phones mainly used by small-to-medium businesses.

An attacker could exploit the vulnerability to extract secrets from vulnerable phones, including local and SIP account credentials, enabling call interception and eavesdropping.

“With root access, the attacker can reconfigure the device’s SIP settings to point to infrastructure they control. A malicious SIP proxy. Calls still dial. The display still lights up. The user still hears a dial tone. But now, every call flows through someone else’s hands first,” explained Douglas McKee, director of vulnerability intelligence at Rapid7.

“There’s no ...