01 · The Real Story
This is a loaded nail gun left on the voice VLAN, but only after someone flips the safety off
CVE-2026-0826 is a stack-based buffer overflow in HP Poly Voice phones on the Linux platform, triggered while parsing SDP a=candidate data for Interactive Connectivity Establishment (ICE). Rapid7 demonstrated unauthenticated remote code execution as root against a VVX 450, and HP's published affected ranges map to VVX before UCS 6.4.8, Trio 8300 before 8.1.7, and Trio 8500/8800 before 7.2.8.
In a vacuum this looks like a classic critical appliance RCE, and technically it is nasty. In real enterprise deployments, the biggest reality check is that ICE is not enabled by default, and these phones usually sit on internal voice networks rather than on the public internet; that sharply reduces reachable population and makes this more of a post-initial-access lateral-movement amplifier than a universal internet-fire alarm.
"= ASSESSED AT HIGH: pre-auth root RCE exists, but the real brake is that ICE must be enabled first"
02 · The Attack Path
4 steps from start to impact.
STEP 01
Reach a Poly phone's SIP service
The attacker first needs Layer-3 reachability to the phone's SIP listener, typically UDP/5060, where the vulnerable SDP parsing occurs. Rapid7's analysis shows the vulnerable code is exercised through SIP requests carrying SDP data into the
polyapp process.Conditions required:
- Network path to the target phone's SIP service
- Target is an affected HP Poly VVX or Trio model on vulnerable firmware
Where this breaks in practice:
- Most enterprises place desk phones on separate voice VLANs
- External internet exposure for enterprise phones is far less common than for VPNs, firewalls, or web apps
- NAC, ACLs, and UC segmentation often block workstation-to-phone traffic
Detection/coverage: General vulnerability scanners may miss this unless they fingerprint Poly firmware or speak SIP well; exposure mapping is better done with SIP bannering and UC inventory than web-only scanning.
STEP 02
Find a phone with ICE enabled
The bug is only reachable when an administrator has enabled Interactive Connectivity Establishment. Rapid7's Metasploit work notes the feature is non-default and can be probed by SIP behavior related to ICE support.
Conditions required:
- ICE enabled on the device
- Attacker can elicit or infer ICE support via SIP
Where this breaks in practice:
- ICE is explicitly described as non-default
- Many desk-phone deployments never enable ICE at all
- Even in UC-heavy estates, ICE use is environment-specific rather than universal
Detection/coverage: A targeted SIP probe can help infer support, but remote confirmation of the config state may still be imperfect; expect some results to remain UNKNOWN without admin-side config review.
STEP 03
Send malformed SDP a=candidate data
Using a crafted SIP request with SDP content, the attacker overflows a fixed-size stack buffer in the ICE candidate parser. Rapid7 published both technical details and a Metasploit exploit path showing practical weaponization.
Conditions required:
- Attacker can send SIP/SDP traffic to the target
- Payload tailored for the phone family and firmware
Where this breaks in practice:
- Embedded targets can require firmware-specific reliability work
- ROP and memory-layout details may vary across versions and models
Detection/coverage: Network IDS can look for oversized or anomalous SDP
a=candidate lines in SIP traffic; scanner-side detection coverage will lag because this is not a normal HTTP management-plane bug.STEP 04
Gain root on the phone and abuse it as a foothold
Successful exploitation yields code execution as
root on the device. From there the phone becomes a low-visibility internal foothold for credential capture opportunities, traffic observation, call manipulation, or pivoting deeper into the voice environment.Conditions required:
- Exploit succeeds on target firmware
- Outbound or lateral network paths permit follow-on actions
Where this breaks in practice:
- A phone is still a narrow beachhead, not instant domain compromise
- Voice VLAN routing and egress controls can contain pivoting
Detection/coverage: EDR usually does not exist on desk phones, so post-exploit visibility is weak; rely on network telemetry, SIP anomalies, and config/inventory drift monitoring.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No confirmed active exploitation found in the reviewed sources as of 2026-06-03; CISA ADP in Vulnrichment marks exploitation as none. |
|---|---|
| Public exploitability | Yes — Rapid7 published a technical write-up and a public Metasploit PR demonstrating unauthenticated root RCE. |
| EPSS | 0.00212 (very low probability estimate); that supports "not currently hot" threat activity, not "safe to ignore." |
| KEV status | Not KEV-listed; no CISA due date applies because it is absent from the KEV catalog. |
| CVSS context | NVD is awaiting analysis, but HP's CNA data exposed through NVD/OpenCVE shows CVSS v4 9.2 with AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H — the key realism term is AT:P, which maps to the non-default ICE prerequisite. |
| Affected versions | VVX < 6.4.8, Trio 8300 < 8.1.7, Trio 8500/8800 < 7.2.8 on Linux-based Poly Voice devices. |
| Fixed versions | Patch to UCS 6.4.8 for VVX, 8.1.7 for Trio 8300, and 7.2.8 for Trio 8500/8800. This is firmware, so there are no distro backports to lean on. |
| Exposure reality | No authoritative internet-wide exposure count was found in the reviewed sources. Practical exposure is usually internal voice VLAN reachability, not mass internet reachability, which is the main reason this scores below internet-edge RCEs. |
| Disclosure timeline | Published 2026-06-01 by HP; Rapid7 disclosed the issue the same day and noted HP provided remediation version numbers on 2026-05-18. |
| Researcher | Reported by Stephen Fewer / Rapid7 Labs. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to HIGH (8.1/10)
The single most important downward pressure is the non-default ICE requirement: if the feature is off, there is no bug path to hit. This is still a HIGH because the reachable cases are pre-auth network RCE as root with public exploit code, and phones are often poorly monitored once an attacker is already inside the network.
HIGH Technical impact is unauthenticated `root` RCE on affected devices
MEDIUM Real-world exposure is reduced by ICE being non-default and by common voice-network segmentation
MEDIUM Public exploit availability materially raises operational risk
Why this verdict
- Down from hypothetical CRITICAL: exploitation requires ICE to be enabled, which HP/Rapid7 say is not the default; that sharply narrows the reachable population.
- Down again: the attacker usually needs internal network reachability to voice infrastructure. That implies post-initial-access or a segmentation failure, not broad internet-edge exposure across most enterprises.
- Back up to HIGH: where those prerequisites are met, this is still pre-auth network RCE as root with a public Metasploit path, and desk phones often have weak detection, weak ownership, and long firmware lag.
Why not higher?
Because this is not a universal one-packet internet-edge problem across the whole install base. The attack path compounds two real brakes — non-default configuration and typical voice-network locality — which materially reduce both attacker reach and exposed population.
Why not lower?
Because once the path is open, the impact is not theoretical or partial: it is unauthenticated remote code execution with root privileges. Public exploit work already exists, and embedded voice devices are exactly the kind of unmanaged internal nodes attackers love for stealthy footholds.
05 · Compensating Control
What to do — in priority order.
- Disable ICE where unused — This is the best choke point because it removes the vulnerable feature path entirely. Review Poly provisioning templates and phone config for ICE-related settings and disable them within 30 days for all deployments that do not explicitly require ICE.
- Constrain SIP reachability — Allow SIP/SDP traffic to phones only from approved call-control, SBC, and UC management systems; block workstation, server, and guest segments from talking directly to phone SIP listeners. Put these ACL changes in place within 30 days to reduce lateral movement opportunity.
- Lock down voice VLAN east-west paths — Treat phones as semi-trusted embedded endpoints, not harmless peripherals. Restrict routing from user LANs into voice VLANs and limit phone egress so a compromised handset cannot pivot broadly; deploy within 30 days.
- Inventory firmware now — Build a device list keyed by model and UCS version so you can separate real exposure from noise and stage firmware remediation cleanly. Complete the inventory and exception list within 30 days.
- Watch SIP for oversized ICE candidates — Add detections for anomalous SIP messages carrying unusually long SDP
a=candidateattributes or unusual OPTIONS/INVITE probing against phones. This will not prevent exploitation by itself, but it improves detection on a class of devices that usually lacks EDR; deploy within 30 days.
What doesn't work
- MFA does nothing here because the exploit path is unauthenticated network parsing in the phone, not a user login flow.
- A web application firewall is mostly irrelevant because the vulnerable surface is SIP/SDP over the voice plane, commonly UDP/5060, not an HTTP app behind the WAF.
- Endpoint AV/EDR on laptops does not protect the target device because these phones are embedded Linux appliances that typically do not run your endpoint stack.
06 · Verification
Crowdsourced verification payload.
Run this from an auditor workstation or jump host with network reachability to the phone's SIP port; you do not run it on the phone itself. Invoke it as python3 poly_cve_2026_0826_check.py 10.20.30.40 or python3 poly_cve_2026_0826_check.py 10.20.30.40 5060; no admin rights are required, but your source host must be allowed to send UDP to the target.
#!/usr/bin/env python3
# poly_cve_2026_0826_check.py
# Best-effort remote check for HP Poly Voice CVE-2026-0826.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/network error
import re
import sys
import socket
import uuid
from itertools import zip_longest
FIXED = {
'vvx': '6.4.8',
'trio_8300': '8.1.7',
'trio_8500': '7.2.8',
'trio_8800': '7.2.8',
}
def norm_version(v):
parts = re.findall(r'\d+', v or '')
return [int(x) for x in parts]
def version_lt(a, b):
aa = norm_version(a)
bb = norm_version(b)
for x, y in zip_longest(aa, bb, fillvalue=0):
if x < y:
return True
if x > y:
return False
return False
def classify_product(text):
t = text.lower()
if 'vvx' in t:
return 'vvx'
if 'trio 8300' in t or 'trio_8300' in t:
return 'trio_8300'
if 'trio 8500' in t or 'trio_8500' in t:
return 'trio_8500'
if 'trio 8800' in t or 'trio_8800' in t:
return 'trio_8800'
return None
def extract_version(text):
patterns = [
r'\bversion\s*[:/ ]\s*([0-9]+(?:\.[0-9]+){1,4})',
r'\bucs\s*[:/ ]\s*([0-9]+(?:\.[0-9]+){1,4})',
r'\b([0-9]+(?:\.[0-9]+){2,4})\b',
]
for p in patterns:
m = re.search(p, text, re.I)
if m:
return m.group(1)
return None
def build_options(target_ip):
branch = uuid.uuid4().hex[:8]
callid = uuid.uuid4().hex
return (
f"OPTIONS sip:{target_ip} SIP/2.0\r\n"
f"Via: SIP/2.0/UDP 0.0.0.0:5061;branch=z9hG4bK-{branch}\r\n"
f"From: <sip:audit@local>;tag=ng1\r\n"
f"To: <sip:{target_ip}>\r\n"
f"Call-ID: {callid}\r\n"
f"CSeq: 1 OPTIONS\r\n"
f"Max-Forwards: 70\r\n"
f"Contact: <sip:[email protected]:5061>\r\n"
f"Accept: application/sdp\r\n"
f"Require: ice\r\n"
f"Content-Length: 0\r\n\r\n"
).encode()
def main():
if len(sys.argv) not in (2, 3):
print('UNKNOWN - usage: python3 poly_cve_2026_0826_check.py <ip> [port]')
sys.exit(3)
host = sys.argv[1]
port = int(sys.argv[2]) if len(sys.argv) == 3 else 5060
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(3.0)
try:
sock.sendto(build_options(host), (host, port))
data, _ = sock.recvfrom(8192)
except Exception as e:
print(f'UNKNOWN - no SIP response from {host}:{port} ({e})')
sys.exit(2)
finally:
sock.close()
text = data.decode(errors='ignore')
flat = text.replace('\r', ' ').replace('\n', ' ')
product = classify_product(flat)
version = extract_version(flat)
ice_seen = ('ice' in flat.lower())
if not product or not version:
print('UNKNOWN - got SIP response but could not confidently fingerprint Poly model/version')
sys.exit(2)
fixed = FIXED.get(product)
if not fixed:
print(f'UNKNOWN - unsupported product fingerprint {product}, version {version}')
sys.exit(2)
if version_lt(version, fixed):
if ice_seen:
print(f'VULNERABLE - {product} version {version} is below fixed {fixed} and SIP response indicates ICE support')
sys.exit(1)
else:
print(f'UNKNOWN - {product} version {version} is below fixed {fixed}, but ICE enablement could not be confirmed remotely')
sys.exit(2)
else:
print(f'PATCHED - {product} version {version} is at or above fixed {fixed}')
sys.exit(0)
if __name__ == '__main__':
main()
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, have the UC team and network team produce a firmware-and-config inventory for every Poly VVX and Trio device, then identify where ICE is actually enabled. Because this is HIGH, the noisgate mitigation SLA is ≤ 30 days: disable ICE where it is not required, and lock SIP reachability to only approved call-control paths within that window. The noisgate remediation SLA is ≤ 180 days: upgrade VVX to 6.4.8+, Trio 8300 to 8.1.7+, and Trio 8500/8800 to 7.2.8+. If you discover phones with ICE enabled in flat user-accessible networks, treat those as the front of the queue, not as routine phone backlog.
Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.