Critical HP Poly VoIP Phone Vulnerability Exposes Enterprises to Root-Level RCE
Enterprise phones rarely sit at the top of the patching queue. That is exactly why this bug matters.
A critical vulnerability in HP Poly VoIP phones can give an unauthenticated attacker remote code execution with root privileges on affected devices. Tracked as CVE-2026-0826, the flaw was disclosed by Rapid7 on June 1, 2026, and flagged by SecurityWeek on June 2, 2026, as a risk that could help attackers gain a foothold inside enterprise networks.
The vulnerable devices are not obscure lab gear. They are desk phones and conference phones commonly deployed in offices, meeting rooms, branch sites, and shared corporate spaces — the kind of infrastructure that often stays online for years after initial rollout.
What Happened
Rapid7 Labs discovered a critical unauthenticated stack-based buffer overflow in HP Poly Voice devices after testing an HP Poly VVX 450 VoIP phone. HP confirmed the issue affects the full VVX series and several Trio conference phone models.
The affected products include VVX 150, VVX 250, VVX 350, VVX 450, Trio 8300, Trio 8500, and Trio 8800. CVE-2026-0826 has a CVSSv4 score of 9.2 and is classified as CWE-121: Stack-based Buffer Overflow.
The vulnerability exists in how the device parses Session Description Protocol data when Interactive Connectivity Establishment is enabled. ICE is not enabled by default, but when it is active, a malicious SIP request can trigger the overflow.
How the Bug Works
The vulnerable code sits in the Poly application binary responsible for SIP and media handling. When SDP data is processed, the device parses an a=candidate: attribute used by ICE for connectivity checks.
Rapid7 found that the parsing function copies attacker-controlled candidate data into a 256-byte stack buffer without properly checking length. A candidate attribute longer than the buffer can overflow the stack and give the attacker control over execution flow.
In Rapid7’s technical analysis, exploitation was demonstrated against a Poly VVX 450 running vulnerable firmware version 6.4.7.4477. A Metasploit module was developed to show unauthenticated RCE with root privileges, including execution of a reverse shell payload on the target device.
Why This Stands Out
This is not just another firmware bug in a peripheral device. The exploit path targets a network-facing VoIP service and can be reached through crafted SIP traffic when ICE is enabled.
That changes the risk profile. A compromised VoIP phone can become a quiet internal foothold, a traffic observation point, or a staging position for additional reconnaissance. Phones often live on trusted network segments, communicate with call infrastructure, and may be allowed through internal controls that would block less familiar devices.
The vulnerability also undercuts a common operational assumption: that voice hardware is “set and forget.” In reality, these devices run Linux-based firmware, expose protocol parsers, and often remain under-monitored compared with servers, endpoints, and cloud workloads.
Enterprise Risk
The practical impact depends on whether ICE is enabled and whether vulnerable phones are reachable by an attacker. But where those conditions line up, the impact is severe: unauthenticated root-level code execution on a device inside the enterprise environment.
Attackers do not need a login. They need a path to the SIP service and a vulnerable configuration. Once code execution is achieved, the device may be used for persistence, network scanning, packet capture, credential discovery, or lateral movement attempts.
SecurityWeek’s framing is important: the issue is not only compromise of the phone. It is the phone as a bridge into the enterprise network.
Affected Versions and Fixes
HP Poly recommends disabling ICE where it is not required and updating affected devices to fixed UCS firmware releases using Poly Lens Device Management.
Rapid7 listed the following fixed versions:
VVX: UCS 6.4.8
Trio 8300: UCS 8.1.7
Trio 8500: UCS 7.2.8
Trio 8800: UCS 7.2.8
Rapid7 also noted that InsightVM, Nexpose, and Exposure Command customers received vulnerability check coverage in the June 2, 2026 content release.
Defender Actions
Enterprises should first identify HP Poly VVX and Trio devices across office, branch, conference-room, and remote-site networks. Asset inventories often miss voice hardware, so defenders should validate against DHCP, NAC, VoIP management systems, call-manager records, and network scans.
Where ICE is not required, disable it. Where affected models are deployed, upgrade firmware to the fixed UCS versions. SIP exposure should also be reviewed: phones should not be reachable from untrusted networks, and internal access should be limited to required call-control infrastructure wherever possible.
Security teams should look for unexpected SIP traffic, abnormal device reboots or crashes, outbound connections from phone VLANs, reverse-shell-like traffic, and any sign that VoIP devices are communicating outside expected call-management paths.
Bigger Picture
CVE-2026-0826 is a clean example of an old bug class appearing in infrastructure that many organizations mentally downgrade as “appliance” hardware.
Stack overflows, weak firmware hardening, exposed protocol parsers, and long-lived embedded systems remain a dangerous combination. The fact that exploitation requires ICE to be enabled narrows the blast radius, but it does not erase the risk for environments that use NAT traversal or more complex voice configurations.
The broader lesson is simple: voice infrastructure is endpoint infrastructure. It needs inventory, patching, segmentation, monitoring, and incident-response coverage like any other networked system with privileged access to the enterprise.
NeuraCyb's Assessment
The real exposure in CVE-2026-0826 is not the conference phone on the table; it is the trust that phone inherits once it is plugged into the enterprise. A vulnerable VoIP device with root-level RCE is not a minor appliance issue. It is an internal foothold waiting for the wrong packet.
References
SecurityWeek — Critical Vulnerability in HP VoIP Phones Enables Enterprise Network Breaches
HP Security Bulletin — Poly Voice Products Stack Buffer Overflow
