A critical vulnerability tracked as CVE-2026-0826 affects multiple HP Poly Voice VoIP phone models, allowing remote code execution (RCE) with root privileges. The vulnerability is a stack-based buffer overflow occurring during the parsing of Session Description Protocol (SDP) attributes. An attacker can exploit this flaw by sending a malicious SIP INVITE request, leading to control over the device. The affected models include HP VVX and Trio IP Conference series phones.
Rapid7 advises disabling the Interactive Connectivity Establishment (ICE) feature where not required and updating to patched firmware to mitigate the risk. The vulnerability poses significant risks as these devices are often located in trusted environments, allowing potential eavesdropping and lateral movement by attackers.