Critical Unauthenticated RCE in HP Poly VoIP Phones (CVE‑2026‑0826) Threatens Enterprise Telephony
What It Is – Rapid7 disclosed a critical, unauthenticated stack‑based buffer overflow (CVE‑2026‑0826) in the SDP parser of HP Poly VoIP phones. The flaw allows an attacker to overflow a 256‑byte buffer via a crafted SIP INVITE, leading to remote code execution (RCE) with root privileges.
Exploitability – The vulnerability is exploitable over the network without credentials. A proof‑of‑concept exists and demonstrates reliable RCE using a Return‑Oriented Programming (ROP) chain to bypass NX. CVSS v3.1 is estimated at 9.8 (Critical).
Affected Products – HP Poly VVX 150, 250, 350, 450 and Trio 8800, 8500, 8300 running firmware 6.4.7.4477 (or earlier).
TPRM Impact – Compromise of a VoIP endpoint gives attackers foothold inside the corporate LAN, the ability to intercept or manipulate voice traffic, and a pivot point to other critical systems. Supply‑chain risk is high because many enterprises source HP Poly phones from the same OEM and often integrate them with unified‑communication platforms.
Recommended Actions –
- Verify firmware version on every HP Poly device.
- Immediately apply HP‑provided patches (firmware ≥ 6.4.7.4478).
- Disable ICE (Interactive Connectivity Establishment) on phones where it is not required.
- Segment VoIP infrastructure on dedicated VLANs and enforce strict SIP‑only firewall rules.
- Update TPRM inventories to flag HP Poly phones as high‑risk assets and require continuous monitoring.
Source: Security Affairs – Why an HP Poly VoIP Phones Bug Could Become an Enterprise Foothold