RESEARCHERS at Rapid7 have disclosed a critical remote code execution flaw affecting HP Poly VoIP phones, tracked as CVE-2026-0826, which allows unauthenticated attackers to gain root control of vulnerable devices. The issue was uncovered during a routine audit of the devices’ session initiation protocol implementation.
The vulnerability scores 9.2 on the CVSS scale and stems from a stack‑based buffer overflow in the handling of Session Description Protocol data during SIP INVITE processing. Successful exploitation lets an attacker execute arbitrary code with root privileges on the affected handset. Details of the flaw were published on securityonline.info.
Rapid7’s advisory notes that the flaw resides in the Interactive Connectivity Establishment component and can be triggered by a specially crafted SIP message. Proof‑of‑concept code demonstrating the exploit has been shared on public repositories, a point also highlighted by securityaffairs.com. This development underscores the urgency for defenders to review their VoIP estate.
Affected models include the VVX 150, 250, 350 and 450 series as well as the Trio 8800, 8500 and 8300 conference phones. These devices are often placed in trusted network segments, making them attractive pivot points for adversaries seeking internal access. The potential impact was outlined in a report by securityweek.com.
Although no active exploitation has been observed in the wild, the public availability of exploit code raises the likelihood of opportunistic attacks targeting unpatched handsets. Organisations should treat the flaw as imminent risk pending mitigation.
Mitigation consists of disabling ICE where it is not required and upgrading to firmware version 6.4.8 or later, as advised by Rapid7. Rapid7 states that these steps will neutralise the buffer‑overflow condition.
Security teams should inventory all VoIP endpoints and apply the patch promptly. They ought to segregate voice VLANs from data networks to limit lateral movement. Monitoring SIP traffic for anomalous payloads completes a basic hardening programme.