A critical vulnerability (CVE-2026-0826) has been identified in Poly VoIP phones, particularly the VVX 450 series, with a high severity CVSS score of 9.2. Discovered by Rapid7, the flaw arises from improper validation in session protocol handling, allowing attackers to exploit a buffer overflow. This lets them execute remote scripts, potentially gaining administrative access without authentication.
Organizations are urged to immediately upgrade to firmware version 6.4.8 and disable vulnerable features if not in use, ensuring network security against potential remote code execution.