Grandstream GXP1600 Phones Hit by Critical RCE Vulnerability
Grandstream GXP1600: root-level flaw opens a silent intercept path
Security researchers disclosed a CVE-2026-2329 flaw that permits remote code execution on the GXP1600 family of desktop VoIP phones used widely in small-to-medium business environments.
The problem stems from a stack-based buffer overflow that an unauthenticated actor can weaponize to obtain root privileges on affected units.
With elevated control, an adversary can extract stored secrets — notably local and SIP account credentials — and redirect voice traffic through attacker-controlled infrastructure.
That pathway produces a near-transparent interception capability: calls continue to ring and connect while media streams are siphoned to a malicious proxy.
Researchers cautioned the exploit is not trivial; it favors operators of moderate skill who can chain code execution to configuration changes.
Grandstream released firmware version 1.0.7.81 slightly more than a week after the issue was disclosed, and public technical write-ups and vendor advisories are available for defenders.
The combination of inexpensive, persistent endpoints and embedded credentials means many small networks expose a long-lived attack surface unless devices are patched or segmented.
Operational mitigations include rapid firmware rollout, network-level isolation of SIP devices, and rotation of any credentials stored on compromised hardware.
Because VoIP endpoints frequently sit on flat LANs, this flaw amplifies the need for Zero Trust micro-segmentation and device-level inventory control in SMB environments.
The event also revives attention on how quickly vendors can produce fixes and how rapidly customers actually deploy them.
For defenders, the priority is clear: validate firmware versions, audit SIP registrar configurations, and treat legacy desktop VoIP gear as high-risk until proven patched.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Critical SolarWinds Web Help Desk Flaw Exploited; CISA Orders Rapid Patching
A critical unauthenticated remote code execution bug in SolarWinds Web Help Desk (WHD) rooted in AjaxProxy deserialization is being exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities list, triggering compressed federal remediation deadlines. The listing arrived alongside other high-priority KEV additions this patch cycle, reinforcing that administrative consoles and legacy proxy components are high-risk and require immediate patching and network controls.
Hackers Rapidly Exploit Critical BeyondTrust Remote-Access Flaw After PoC Emerges
A critical unauthenticated remote-code execution bug (CVE-2026-1731) in BeyondTrust Remote Support and Privileged Remote Access was probed and targeted within 24 hours of a public proof-of-concept, exposing thousands of internet-facing instances. Organizations should treat exposed BeyondTrust deployments as emergency patching and containment priorities, applying access restrictions, WAF/ACL rules, and focused threat-hunting while verifying remediation.
Critical OpenClaw Flaw Enabled Remote Hijack Through Malicious Web Page
A newly disclosed OpenClaw vulnerability (CVE-2026-25253) let a single malicious webpage steal a browser-exposed token and escalate it into full gateway access and host command execution; OpenClaw released a fix in 2026.1.29. Independent scans and research also found large-scale operational exposure—including hundreds of internet-reachable admin interfaces, unmoderated Moltbook skill posts with hidden prompt‑injection fragments, and separate misconfigurations that leaked millions of API tokens and tens of thousands of emails—so operators must patch, revoke keys, inventory reachable instances, and tighten access and content‑distribution controls immediately.
TeamT5 ThreatSonar vulnerability exploited; CISA adds flaw to KEV list
CISA added a high-severity vulnerability in TeamT5’s ThreatSonar (CVE-2024-7694) to its Known Exploited Vulnerabilities catalogue and required federal remediation by March 10, 2026. The bug allows unsafe file uploads that can be chained with elevated privileges to achieve remote command execution; a vendor patch was issued in August 2024 but evidence of in‑the‑wild exploitation has been reported.
Critical vulnerabilities in Google Looker allow developer-level paths to full compromise
Security researchers found two serious flaws in Google Looker that let an attacker with developer privileges run code on hosts and extract the platform’s internal database. Google has patched cloud-hosted instances; organizations running self-managed Looker must update immediately or risk data theft and infrastructure takeover.
Six Vulnerabilities in Major JavaScript Package Managers Expose Projects to Supply-Chain RCE
Security firm Koi disclosed six vulnerabilities across NPM, PNPM, VLT, and Bun that let attackers bypass common install-time protections and potentially achieve remote code execution. PNPM, VLT and Bun issued fixes quickly while NPM declined to change the behavior, leaving many projects exposed if they rely on Git or tarball dependencies without added protections.
Critical n8n sandbox escape exposes server secrets, high-severity CVE issued
A flaw in n8n’s expression sanitizer permitted crafted JavaScript to break out of the sandbox and execute commands on servers, prompting CVE-2026-25049 with a 9.4 severity rating. n8n released version 2.4.0 to address the issue; administrators should apply the update immediately to prevent credential and configuration theft.
Metro4Shell: Active exploitation of critical React Native Metro bug raises global alarm
Researchers observed in-the-wild exploitation of a critical unauthenticated RCE in the React Native Metro bundler (CVE-2025-11953, CVSS 9.8), with attackers using staged PowerShell loaders and Rust payloads against internet-facing development servers. Given historical patterns where public fixes can speed adversary reconstruction of exploits, defenders should urgently inventory exposed Metro instances, accelerate patching or apply vendor mitigations, and deploy behavior-based telemetry to detect staged loader activity and downstream supply-chain tampering.