HP: Critical Vulnerability in HP VoIP Phones Enables Enterprise Network Breaches

Critical RCE Vulnerability in HP Poly VoIP Phones Exposes Enterprise Networks

Security researchers at Rapid7 have disclosed a critical-severity vulnerability (CVE-2026-0826, CVSS 9.2) in multiple HP Poly Voice VoIP phone models, enabling remote code execution (RCE) with root privileges. The flaw, a stack-based buffer overflow in the parsing of Session Description Protocol (SDP) attributes, affects devices with Interactive Connectivity Establishment (ICE) enabled.

The vulnerability stems from an unchecked string copy in the candidate attribute parsing function, allowing attackers to trigger a buffer overflow by sending a maliciously crafted SIP INVITE request. Exploitation grants control over the program counter, registers, and stack data, bypassing ASLR and NX mitigations via Return Oriented Programming (ROP) chains. Successful attacks could lead to arbitrary code execution, providing a persistent foothold in enterprise networks.

Affected models include HP VVX series (VVX 150, 250, 350, 450) and Trio IP Conference series (Trio 8800, 8500, 8300) VoIP phones. Patches are available, and disabling ICE connectivity serves as a temporary mitigation.

Rapid7’s Douglas McKee highlights the broader risk: these devices, often deployed in trusted environments like conference rooms and executive offices, lack endpoint protection and can be leveraged for eavesdropping, lateral movement, or harvesting sensitive audio for vishing, deepfake attacks, or fraud. The vulnerability underscores the threat posed by unsecured networked devices in high-value corporate settings.

Source: https://www.securityweek.com/critical-vulnerability-in-hp-voip-phones-enables-enterprise-network-breaches/

HP TPRM report: https://www.rankiteo.com/company/hppoly

"id": "hpp1780411927",
"linkid": "hppoly",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Enterprises using HP VVX series '
                                              '(VVX 150, 250, 350, 450) and '
                                              'Trio IP Conference series (Trio '
                                              '8800, 8500, 8300) VoIP phones',
                        'industry': 'Telecommunications/VoIP',
                        'name': 'HP Poly',
                        'type': 'Technology Vendor'}],
 'attack_vector': 'Network (SIP INVITE request with maliciously crafted SDP '
                  'attributes)',
 'data_breach': {'sensitivity_of_data': 'High (sensitive corporate '
                                        'communications)',
                 'type_of_data_compromised': 'Audio data (potential '
                                             'eavesdropping)'},
 'description': 'Security researchers at Rapid7 have disclosed a '
                'critical-severity vulnerability (CVE-2026-0826, CVSS 9.2) in '
                'multiple HP Poly Voice VoIP phone models, enabling remote '
                'code execution (RCE) with root privileges. The flaw is a '
                'stack-based buffer overflow in the parsing of Session '
                'Description Protocol (SDP) attributes, affecting devices with '
                'Interactive Connectivity Establishment (ICE) enabled. '
                'Exploitation grants control over the program counter, '
                'registers, and stack data, bypassing ASLR and NX mitigations '
                'via Return Oriented Programming (ROP) chains. Successful '
                'attacks could lead to arbitrary code execution, providing a '
                'persistent foothold in enterprise networks.',
 'impact': {'operational_impact': 'Potential persistent foothold in enterprise '
                                  'networks, eavesdropping, lateral movement, '
                                  'harvesting sensitive audio for '
                                  'vishing/deepfake attacks or fraud',
            'systems_affected': 'HP Poly VoIP phones (VVX and Trio IP '
                                'Conference series)'},
 'lessons_learned': 'Unsecured networked devices in high-value corporate '
                    'settings (e.g., conference rooms, executive offices) pose '
                    'significant risks due to lack of endpoint protection and '
                    'potential for lateral movement or sensitive data '
                    'harvesting.',
 'post_incident_analysis': {'corrective_actions': 'Vendor patch to fix buffer '
                                                  'overflow vulnerability; '
                                                  'disable ICE connectivity as '
                                                  'temporary mitigation',
                            'root_causes': 'Unchecked string copy in candidate '
                                           'attribute parsing function leading '
                                           'to stack-based buffer overflow'},
 'recommendations': 'Apply vendor patches immediately; disable ICE '
                    'connectivity if patches cannot be applied; monitor VoIP '
                    'devices for suspicious activity; segment VoIP networks '
                    'from critical corporate systems.',
 'references': [{'source': 'Rapid7'}],
 'response': {'containment_measures': 'Patches available; disabling ICE '
                                      'connectivity as temporary mitigation',
              'remediation_measures': 'Apply vendor patches',
              'third_party_assistance': 'Rapid7 (security researchers)'},
 'title': 'Critical RCE Vulnerability in HP Poly VoIP Phones Exposes '
          'Enterprise Networks',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-0826 (Stack-based buffer overflow in SDP '
                            'attribute parsing)'}