Skip to content

HP Poly VoIP Vulnerability Enables Root Access and Voice Deepfakes

The point: A critical buffer overflow vulnerability (CVE-2026-0826) in HP Poly conference phones allows unauthenticated attackers to gain root access and potentially capture voice recordings for AI-based deepfakes.

HP has released patches for a critical buffer overflow vulnerability in several IP conference phones from the Poly series. The vulnerability allows unauthenticated attackers to gain root access and eavesdrop on calls or collect voice data for AI-enabled identity theft attacks.

The vulnerability identified as CVE-2026-0826 was discovered by researchers from the security firm Rapid7 and resides in code for processing SDP attributes (Session Description Protocol) when the ICE function (Interactive Connectivity Establishment) is enabled. ICE enables VoIP devices to establish peer-to-peer connections across the shortest available network path. The function is not enabled by default on HP Poly devices; HP recommends administrators disable it if not required.

The vulnerability, rated 9.2 on the CVSS scale, affects all phones in the HP Poly VVX series as well as the conference devices Trio 8300, 8500, and 8800. HP fixed the vulnerability in versions 6.4.8 of Poly Unified Communications Software (UCS) for VVX devices, 8.1.7 for Trio 8300, and 7.2.8 for Trio 8500 and 8800. The buffer overflow occurs in the ParseICECandidate function of the polyapp binary: it copies an incoming string without length checking into a 256 byte stack buffer. Strings longer than 256 bytes cause the overflow. Although Address Space Layout Randomization (ASLR) is enabled on the devices, it malfunctions because the load addresses of .so files (shared objects) such as libc are not randomized. Attackers can use these static addresses to execute arbitrary commands as root via ROP chains.

An exploit module for the widely used penetration testing framework Metasploit (maintained by Rapid7) is already publicly available. The exploit sends a SIP INVITE request with a crafted candidate attribute, which normally contains transport addresses for connectivity checks in accordance with RFC8839. With ICE enabled, code is executed in this manner with root privileges.

VoIP phones are attractive to attackers because, unlike laptops, workstations, and servers, they are typically not monitored by EDR products (Endpoint Detection and Response). This makes them long-term undetected network entry points. In the age of generative AI models, they are additionally valuable because attackers now need only relatively small amounts of voice data to create deepfakes of high-ranking individuals based on that data.


Source: www.csoonline.com · Published June 2, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.

Share on: