CVE-2025-28170 identifies a security vulnerability in Grandstream Networks GXP1628 IP phones running firmware versions up to and including 1.0.4.130. The vulnerability is classified as Incorrect Access Control due to the device being configured with directory listing enabled. This misconfiguration allows unauthorized users to access sensitive directories and files on the device without proper authentication or authorization. Directory listing is a feature that, when enabled, reveals the contents of directories via a web interface or HTTP server, potentially exposing configuration files, logs, or other sensitive data stored on the device. Since IP phones like the GXP1628 often contain configuration details, network information, and possibly credentials, unauthorized access to these files can lead to further compromise of the device or the network it is connected to. The vulnerability does not currently have a CVSS score assigned, and no known exploits are reported in the wild as of the publication date. However, the presence of directory listing on a network device accessible by unauthorized users represents a significant security risk, as it can facilitate reconnaissance and subsequent attacks. The lack of patch information suggests that either a fix has not yet been released or is not publicly documented, increasing the urgency for organizations to implement compensating controls. The vulnerability affects a specific product line widely used in enterprise telephony systems, which are often integrated into corporate communication infrastructures.

For European organizations, the impact of this vulnerability can be substantial. Grandstream GXP1628 IP phones are commonly deployed in corporate environments for VoIP communications. Unauthorized access to sensitive directories could expose configuration files containing network credentials, SIP account details, or administrative passwords, potentially allowing attackers to intercept calls, conduct eavesdropping, or launch further attacks within the corporate network. This could lead to breaches of confidentiality, integrity, and availability of communication systems. Additionally, compromised IP phones can be used as pivot points for lateral movement within an organization's network, increasing the risk of broader compromise. The exposure of sensitive data may also lead to regulatory compliance issues under GDPR, as personal data could be intercepted or accessed unlawfully. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability's nature makes it a likely target for attackers seeking to exploit VoIP infrastructure weaknesses. Organizations relying heavily on Grandstream devices for communication, especially those in regulated industries or with high privacy requirements, face increased operational and reputational risks if this vulnerability is exploited.

To mitigate this vulnerability, European organizations should first verify if they are using Grandstream GXP1628 devices with firmware versions up to 1.0.4.130. Immediate steps include disabling directory listing on the device's web interface or HTTP server, if configurable, to prevent unauthorized directory enumeration. If the device firmware does not allow disabling directory listing, organizations should restrict access to the device management interface using network segmentation and firewall rules, limiting access only to trusted administrative networks or VPNs. Implementing strong authentication mechanisms and changing default credentials on the devices is critical to reduce unauthorized access risk. Monitoring network traffic for unusual access patterns to the IP phones' web interfaces can help detect exploitation attempts. Organizations should also engage with Grandstream support or monitor official advisories for firmware updates or patches addressing this vulnerability and plan timely deployment once available. As a longer-term measure, consider replacing affected devices with models that have improved security configurations and support regular security updates. Conducting regular security audits of VoIP infrastructure and integrating these devices into centralized vulnerability management programs will enhance overall security posture.