RAPID 7 disclosed a critical vulnerability (CVE-2026-0826) affecting HP Poly VoIP phones, specifically a stack-based buffer overflow that allows unauthenticated remote code execution (RCE) with root privileges. The flaw arises from improper handling of SDP data in ICE-enabled phones, permitting attackers to exploit it via specially crafted SIP INVITE requests. Affected models include the VVX 150, 250, 350, 450, and Trio 8800, 8500, 8300.
The recommended mitigation involves disabling ICE connectivity in non-essential environments and updating to patched firmware. This security risk poses significant threats as these devices are typically placed in secure areas, potentially enabling data breaches and fraud.