CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)

The Discovery of a Critical Vulnerability in HP VoIP Phones

A critical vulnerability in HP Poly VVX and Trio VoIP phones has been discovered. Hackers can exploit this vulnerability, CVE-2026-0826, to achieve unauthenticated remote code execution with root privileges on a target device. The vulnerability is present in the device’s parsing of Session Description Protocol attributes for Interactive Connectivity Establishment. It’s worth noting that the ICE feature must be enabled for the device to be exploitable by a remote attacker, although it is not enabled by default. This vulnerability affects all models in the VVX series and three models from the Trio IP Conference series, which is a significant concern.

The vulnerability is caused by a stack-based buffer overflow in the parsing of SDP attributes for ICE, allowing a remote attacker to execute arbitrary code with root privileges on the affected device. This is a serious issue, and users of these VoIP phones and conference devices are at risk of exploitation. For example, an attacker could use this vulnerability to gain control of a device and use it to launch further attacks on a network.

Uncovering the Vulnerability

Rapid7 Labs discovered the vulnerability during a zero-day research project against an HP Poly VVX 450 Voice over Internet Protocol phone. They validated the vulnerability on a VVX 450 device and confirmed that it affects all models in the VVX series and three models from the Trio IP Conference series. CVE-2026-0826 has a CVSSv4 score of 9.2, indicating a critical severity level. The affected devices include HP Poly VVX series VoIP phones and Trio IP Conference series devices. These devices are vulnerable to remote code execution with root privileges when the ICE feature is enabled.

The discovery of CVE-2026-0826 highlights the ongoing vulnerability of Internet of Things devices, particularly those used in enterprise settings, to sophisticated attacks. This trend shows that manufacturers need to prioritize secure-by-design principles and organizations need to implement security protocols for their IoT devices. A single vulnerability can affect multiple models across different product lines, which is a significant concern.

Protecting Yourself

To prevent exploitation, users should disable the ICE feature on all affected devices. Users should also update to a patched firmware version for VVX series and Trio IP Conference series devices. Restricting network access to affected devices until a patch can be applied is also recommended. It’s crucial to monitor device logs for signs of exploitation and investigate suspicious activity. Organizations should evaluate their IoT device security and consider implementing additional security measures, such as network segmentation and intrusion detection systems.

The timeline of events is straightforward: Rapid7 Labs conducted a zero-day research project against an HP Poly VVX 450 Voice over Internet Protocol phone, during which they discovered the critical unauthenticated stack-based buffer overflow vulnerability, validated it on a VVX 450 device, and confirmed its impact on all models in the VVX series and three models from the Trio IP Conference series.

Sources

1. https://www.rapid7.com/research
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0826