Critical Vulnerability in HP VoIP Phones Enables Enterprise Network Breaches

Summary

A critical vulnerability (CVE-2026-0826, CVSS 9.2) affecting multiple HP Poly VoIP phone models allows remote code execution through a stack-based buffer overflow in SDP attribute parsing when ICE connectivity is enabled. Attackers can exploit the flaw by sending malicious SIP INVITE requests to gain root-level access and establish persistent footholds in enterprise networks. Patches are available for all affected HP VVX and Trio series phones; disabling ICE or updating firmware addresses the issue.

Full text

A critical-severity vulnerability in multiple HP Poly Voice VoIP phone models can be exploited for remote code execution (RCE) with root privileges, allowing attackers to gain a foothold in enterprise networks, Rapid7 warns. Tracked as CVE-2026-0826 (CVSS score of 9.2), the bug is described as a stack-based buffer overflow issue in the parsing of Session Description Protocol (SDP) attributes and affects devices that have the Interactive Connectivity Establishment (ICE) feature enabled. The security defect was identified in a function that parses individual components of candidate attributes. The parsing function is called during the processing of SDP data, when ICE is enabled. “The candidate attribute is intended to contain a transport address for a candidate that can be used for connectivity checks,” Rapid7 explains. The parser copies the incoming string line into a 256-byte stack buffer without checking its length, and a candidate attribute with a greater length can be supplied to trigger the buffer overflow. An attacker can exploit the vulnerability by sending a SIP INVITE request containing a malicious candidate attribute, which will trigger a crash, providing the attacker with control of the program counter, general-purpose registers, and data in the stack pointer.Advertisement. Scroll to continue reading. To bypass ASLR and No Execute (NX) mitigations, which prevent the execution of the stack data, the attacker can use a Return Oriented Programming (ROP) chain containing null bytes, which results in arbitrary code execution. The bug has been confirmed on HP VVX series (VVX 150, VVX 250, VVX 350, and VVX 450) and Trio IP Conference series (Trio 8800, Trio 8500, and Trio 8300) VoIP phones. Patches are available for all of them. Disabling ICE connectivity where it is not required mitigates the vulnerability. To fully address it, administrators are advised to update Poly Voice devices to a patched firmware release. According to Rapid7 vulnerability intelligence director Douglas McKee, the main issue is that these devices reside in inherently trusted places, including conference rooms, offices, help desks, and hospital stations. “A compromise in that context is not just about device access. It’s about what that access enables,” McKee notes, explaining that these devices typically don’t run endpoint protection software and can be abused to establish a persistent foothold into an environment and then intercept transmissions or move laterally. “A compromised desk phone sitting in an executive office or conference room is not just a way to eavesdrop on sensitive discussions. It can also become a collection point for exactly the kind of audio that can be reused in vishing, deep fakes, social engineering, or even fraudulent financial authorization attempts,” McKee says. Related: WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites Related: Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access Related: Recent Palo Alto Networks Vulnerability Exploited for Weeks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Dutch Police Dismantle Massive 17-Million-Device BotnetCritical Windows Netlogon Vulnerability in Attackers’ Crosshairs19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root AccessRecent Palo Alto Networks Vulnerability Exploited for WeeksExploit Code Published for Critical Flowise RCE VulnerabilityCharter Communications Data Breach Could Impact Nearly 5 MillionMokN Raises $15 Million for Phish-Back PlatformGogs Zero-Day Exposes Servers to Remote Code Execution Latest News Anthropic Expanding Mythos Access to 150 New OrganizationsThe Zero-Knowledge Threat Actor and the End of Responsible DisclosureOracle WebLogic Vulnerability Exploited in the WildMeta AI Hands Over High-Profile Instagram Accounts to HackersSupply Chain Attack Hits 32 Red Hat NPM PackagesDashlane Brute-Force Attack Leads to Limited Encrypted Vault DownloadsOracle’s First Monthly Patches Resolve 77 VulnerabilitiesWP Maps Pro Vulnerability Exploited to Take Over WordPress Sites Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Roundtable: CISO Forum 2026 Mid-Year Review June 10, 2026 Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks. Register People on the MoveRapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board.Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter.CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.More People On The MoveExpert Insights The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-0826

Entities