CVE-2026-0826: Root RCE Vulnerability Hits HP Poly Enterprise VoIP Phones
A critical stack-based buffer overflow in HP Poly Voice's SDP parsing allows unauthenticated remote code execution with root privileges via SIP INVITE. Patches…
A critical vulnerability in HP Poly Voice VoIP phones exposes enterprise networks to remote compromise with maximum privileges. Identified as CVE-2026-0826 with a CVSS score of 9.2, the flaw was disclosed on June 2, 2026, by Rapid7 researchers and documented in detail by SecurityWeek. The mechanism is a classic stack-based buffer overflow in the SDP parser which, combined with the abuse of ICE functionality, allows an unauthenticated remote attacker to achieve arbitrary code execution as root on devices typically situated in highly sensitive organizational zones.
- CVE-2026-0826 carries a CVSS 9.2 rating: a stack-based buffer overflow in the parsing of SDP candidate attributes, utilizing a fixed 256-byte buffer with no length validation.
- The attack requires a SIP INVITE containing a malicious candidate attribute; ICE functionality must be enabled for the device to be vulnerable.
- Confirmed affected models include the HP VVX 150/250/350/450 and Trio IP Conference 8800/8500/8300: seven enterprise devices for which patches are now available.
- Bypassing ASLR and NX is documented via a ROP chain containing null bytes, resulting in arbitrary code execution with root privileges.
Anatomy of the Attack: The SDP Parser’s 256-Byte Failure
The root of the vulnerability lies in how the HP Poly Voice firmware handles Session Description Protocol (SDP) attributes during VoIP call negotiation. The parser copies the incoming string into a fixed-size 256-byte buffer allocated on the stack without verifying if the data length exceeds this threshold. This allows an attacker to overwrite the function's return address, and subsequently the program counter, general-purpose registers, and the stack pointer.
According to the technical description from Rapid7 reported by SecurityWeek: "The parser copies the incoming string line into a 256-byte stack buffer without checking its length, and a candidate attribute with a greater length can be supplied to trigger the buffer overflow." Interactive Connectivity Establishment (ICE) functionality, used to traverse NAT and firewalls in peer-to-peer communications, provides the entry vector: an unauthenticated SIP INVITE containing a specially crafted candidate attribute triggers the vulnerable code path.
Modern protections such as ASLR (Address Space Layout Randomization) and NX (No-Execute) do not block exploitation. Researchers documented that an attacker can construct a ROP chain containing null bytes—typically problematic in C strings—to achieve arbitrary code execution. The target process runs with root privileges, turning every compromised device into a platform for total control over the host network.
Why VoIP Phones Are the Enterprise Security Blind Spot
The affected devices are not marginal peripherals. The VVX and Trio IP Conference models are standard fixtures in conference rooms, executive offices, help desks, and hospital stations—environments where strategic, financial, clinical, or legal information flows. This physical placement is a decisive factor in the risk assessment.
Douglas McKee, director of vulnerability intelligence at Rapid7, highlighted a structural aspect that is often overlooked: "these devices typically don't run endpoint protection software and can be abused to establish a persistent foothold." The absence of EDR agents, the lack of visibility from security operations platforms, and the rarity of dedicated scans in vulnerability management cycles make the VoIP phone an ideal pivot for prolonged lateral movement.
McKee also emphasized consequences beyond pure network compromise: "A compromised desk phone sitting in an executive office or conference room is not just a way to eavesdrop on sensitive discussions. It can also become a collection point for exactly the kind of audio that can be reused in vishing, deep fakes, social engineering, or even fraudulent financial authorization attempts." The quality of ambient recordings from these devices—designed to capture voice with noise cancellation and directional patterns—makes them raw material for fraudulent voice synthesis and advanced social engineering attacks.
"A compromise in that context is not just about device access. It's about what that access enables." — Douglas McKee, Rapid7
Vulnerable Models and Mitigation Status
Converging primary sources—SecurityWeek and the Rankiteo blog—list identical models within the confirmed attack surface: the HP VVX series (150, 250, 350, 450) and the Trio IP Conference series (8800, 8500, 8300). HP has released patches for all seven devices, although the dossier does not specify the exact publication date of the corrected firmware.
An immediate temporary mitigation exists: disabling ICE connectivity where it is not strictly required. This action blocks the documented entry vector, as the vulnerable parsing of candidate attributes is triggered specifically by the ICE path. However, this operational choice requires a functional impact assessment, as ICE enables direct connectivity in NAT traversal and conference bridge scenarios.
The dossier does not document whether HP/Poly issued an official advisory independent of the Rapid7 research, nor whether CVE-2026-0826 is present in the NVD database at the time of writing; the NVD record provided in the dossier actually refers to CVE-2025-37164, which is associated with HPE OneView, an entirely different product.
Recommended Actions
- Audit the inventory of HP Poly Voice devices on the network: identify VVX 150/250/350/450 and Trio 8800/8500/8300 models running unpatched firmware.
- Apply vendor-released patches for all affected models, prioritizing devices located in high-sensitivity areas (executive offices, conference rooms, help desks).
- Evaluate disabling ICE connectivity where it is not essential to the service as a preventative or compensatory temporary mitigation.
- Include VoIP phones within the vulnerability management and security monitoring perimeter: ensure they are subject to regular scans and that SOC platforms detect network anomalies originating from them.
The Phone as a State Microphone: Why 2026 Echoes 1995
The most relevant takeaway is architectural rather than technical. A 1995-style buffer overflow—fixed buffer, no bounds checking, stack overwriting—is controlling boardroom microphones in 2026. This occurs because the enterprise security supply chain has systematically excluded VoIP devices from its focus: they are not endpoints, not servers, and not consumer IoT, but a hybrid category that inherits the criticality of the first two and the neglect of the third.
The Rapid7 research does not discover a new technique. Instead, it documents that old techniques still work where no one is looking. The CVSS 9.2 score does not just measure the severity of the bug; it measures the gap between the theoretical protection of enterprise networks and the actual protection of their microphones. For CISOs, the call to verify Poly Voice inventory is also a broader reminder: the next weak link will not be a new class of device, but the same forgotten class with a different name.
Information has been verified against the cited sources and is current at the time of publication.
Sources
- https://www.securityweek.com/critical-vulnerability-in-hp-voip-phones-enables-enterprise-network-breaches/
- https://blog.rankiteo.com/hpp1780411927-hp-vulnerability-june-2026/
- https://www.arrowwoodservices.com/critical-vulnerability-in-hp-voip-phones-enables-enterprise-network-breaches/
- https://nvd.nist.gov/vuln/detail/CVE-2025-37164
- https://nvd.nist.gov/vuln
- https://nvd.nist.gov/vuln/categories
- https://nvd.nist.gov/vuln/data-feeds
- https://nvd.nist.gov/vuln/vendor-comments