A critical-severity vulnerability in multiple HP Poly Voice VoIP phone models can be exploited for remote code execution (RCE) with root privileges, allowing attackers to gain a foothold in enterprise networks, Rapid7 warns.
Tracked as CVE-2026-0826 (CVSS score of 9.2), the bug is described as a stack-based buffer overflow issue in the parsing of Session Description Protocol (SDP) attributes and affects devices that have the Interactive Connectivity Establishment (ICE) feature enabled.
The security defect was identified in a function that parses individual components of candidate attributes. The parsing function is called during the processing of SDP data, when ICE is enabled.
“The candidate attribute is intended to contain a transport address for a candidate that can be used for connectivity checks,” Rapid7 explains.
The parser copies the incoming string line into a 256-byte stack buffer without checking its length, and a candidate attribute with a greater length can be supplied to trigger the buffer overflow.
An attacker can exploit the vulnerability by sending a SIP INVITE request containing a malicious candidate attribute, which will trigger a crash, providing the attacker with control of the program counter, general-purpose registers, and data in the stack pointer.
To bypass ASLR and No Execute (NX) mitigations, which prevent the execution of the stack data, the attacker can use a Return Oriented Programming (ROP) chain containing null bytes, which results in arbitrary code execution.
The bug has been confirmed on HP VVX series (VVX 150, VVX 250, VVX 350, and VVX 450) and Trio IP Conference series (Trio 8800, Trio 8500, and Trio 8300) VoIP phones. Patches are available for all of them.
Disabling ICE connectivity where it is not required mitigates the vulnerability. To fully address it, administrators are advised to update Poly Voice devices to a patched firmware release.
According to Rapid7 vulnerability intelligence director Douglas McKee, the main issue is that these devices reside in inherently trusted places, including conference rooms, offices, help desks, and hospital stations.
“A compromise in that context is not just about device access. It’s about what that access enables,” McKee notes, explaining that these devices typically don’t run endpoint protection software and can be abused to establish a persistent foothold into an environment and then intercept transmissions or move laterally.
“A compromised desk phone sitting in an executive office or conference room is not just a way to eavesdrop on sensitive discussions. It can also become a collection point for exactly the kind of audio that can be reused in vishing, deep fakes, social engineering, or even fraudulent financial authorization attempts,” McKee says.
Related: WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites
Related: Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs
Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access
Related: Recent Palo Alto Networks Vulnerability Exploited for Weeks
