Endpoint Security Critical Vulnerability in HP VoIP Phones Enables Enterprise Network Breaches A stack-based buffer overflow bug can be exploited for remote code execution on a vulnerable device. By Ionut Arghire | June 2, 2026 (8:25 AM ET) Flipboard Reddit Whatsapp Whatsapp Email A critical-severity vulnerability in multiple HP Poly Voice VoIP phone models can be exploited for remote code execution (RCE) with root privileges, allowing attackers to gain a foothold in enterprise networks, Rapid7 warns. Tracked as CVE-2026-0826 (CVSS score of 9.2), the bug is described as a stack-based buffer overflow issue in the parsing of Session Description Protocol (SDP) attributes and affects devices that have the Interactive Connectivity Establishment (ICE) feature enabled. The security defect was identified in a function that parses individual components of candidate attributes. The parsing function is called during the processing of SDP data, when ICE is enabled. “The candidate attribute is intended to contain a transport address for a candidate that can be used for connectivity checks,” Rapid7 explains . The parser copies the incoming string line into a 256-byte stack buffer without checking its length, and a candidate attribute with a greater length can be supplied to trigger the buffer overflow. An attacker can exploit the vulnerability by sending a SIP INVITE request containing a malicious candidate attribute, which will trigger a crash, providing the attacker with control of the program counter, general-purpose registers, and data in the stack pointer. Advertisement. Scroll to continue reading. To bypass ASLR and No Execute (NX) mitigations, which prevent the execution of the stack data, the attacker can use a Return Oriented Programming (ROP) chain containing null bytes, which results in arbitrary code execution. The bug has been confirmed on HP VVX series (VVX 150, VVX 250, VVX 350, and VVX 450) and Trio IP Conference series (Trio 8800, Trio 8500, and Trio 8300) VoIP phones. Patches are available for all of them. Disabling ICE connectivity where it is not required mitigates the vulnerability. To fully address it, administrators are advised to update Poly Voice devices to a patched firmware release. According to Rapid7 vulnerability intelligence director Douglas McKee, the main issue is that these devices reside in inherently trusted places, including conference rooms, offices, help desks, and hospital stations. “A compromise in that context is not just about device access. It’s about what that access enables,” McKee notes , explaining that these devices typically don’t run endpoint protection software and can be abused to establish a persistent foothold into an environment and then intercept transmissions or move laterally. “A compromised desk phone sitting in an executive office or conference room is not just a way to eavesdrop on sensitive discussions. It can also become a collection point for exactly the kind of audio that can be reused in vishing, deep fakes, social engineering, or even fraudulent financial authorization attempts,” McKee says. Related: WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites Related: Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access Related: Recent Palo Alto Networks Vulnerability Exploited for Weeks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access Recent Palo Alto Networks Vulnerability Exploited for Weeks Exploit Code Published for Critical Flowise RCE Vulnerability Charter Communications Data Breach Could Impact Nearly 5 Million MokN Raises $15 Million for Phish-Back Platform Gogs Zero-Day Exposes Servers to Remote Code Execution Chrome 148 Update Patches 151 Vulnerabilities Geordie Raises $30 Million for AI Security and Governance Platform Latest News Oracle WebLogic Vulnerability Exploited in the Wild Meta AI Hands Over High-Profile Instagram Accounts to Hackers Supply Chain Attack Hits 32 Red Hat NPM Packages Dashlane Brute-Force Attack Leads to Limited Encrypted Vault Downloads Oracle’s First Monthly Patches Resolve 77 Vulnerabilities WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites Dutch Police Dismantle Massive 17-Million-Device Botnet Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the Move Rapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board. Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter. CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity. More People On The Move Expert Insights Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email