HP released fixes for a critical flaw in several Poly Voice VoIP phone models that could let an attacker remotely seize control of a phone and use it as a foothold inside a company network. Rapid7 said CVE-2026-0826 is a stack-based buffer overflow in Session Description Protocol parsing when Interactive Connectivity Establishment is enabled, affecting Poly VVX 150/250/350/450 and Trio 8300/8500/8800 devices; a malicious SIP INVITE can trigger root-level remote code execution, and HP has published patched firmware.
Why it matters: Organizations using these desk and conference phones should treat this as urgent because compromised voice devices often sit on trusted internal networks and typically lack security tooling. Update affected Poly firmware now and disable ICE where it is not needed.
Ionut Arghire
2026.06.02
100% relevant
This article appears to be the first tracked report establishing the disclosure, affected HP Poly models, CVE-2026-0826 details, attack path, and available mitigations.
← Back to all stories