An issue exists in Grandstream GXP14XX 1.0.8.9 and GXP16XX 1.0.7.13, allows remote malicious users to escalate privileges via incorrect access control using an end-user session-identity token.