Your Office Phone Is a Spy: CVE-2026-2329 and the Grandstream Vulnerability Explained

A critical unauthenticated stack buffer overflow (CVE-2026-2329, CVSSv4 9.3) in the web API of Grandstream GXP1600 series desk phones allows remote root RCE, credential harvesting, and silent interception of calls; Rapid7 published technical details and Metasploit modules on Feb 18, 2026, and Grandstream issued a patch in firmware 1.0.7.81 — organizations should immediately inventory affected phones, apply the patch, segment VoIP networks, block external management access, rotate credentials if compromise is suspected, and monitor SIP traffic.