HP Poly VoIP Vulnerability Sets the Stage for Executive Voice Deepfakes
HP Poly VoIP Vulnerability Alert π¨
HP has released patches for a critical buffer overflow vulnerability in multiple IP-enabled conference phones from its Poly Voice line. This remote code execution flaw enables root access and voice attacks on HP Poly VoIP phones, including eavesdropping and the ability to collect audio to generate deepfakes.
The flaw allows unauthenticated attackers to obtain root privileges on the underlying operating system, potentially enabling them to execute other attacks such as eavesdropping on conversations and recording voice data for AI-enabled impersonation attacks. The vulnerability, tracked as CVE-2026-0826, was discovered by researchers from security firm Rapid7 and resides in the code that parses Session Description Protocol (SDP) attributes when the Interactive Connectivity Establishment (ICE) feature is enabled.
The flaw, rated 9.2 on the CVSS severity scale, affects all phones from the HP Poly VVX series, as well as the Trio 8300, 8500, and 8800 IP conference devices. HP has fixed the flaw in its Poly Unified Communications Software (UCS) versions 6.4.8 for the VVX devices, 8.1.7 for the Trio 8300, and 7.2.8 for Trio 8500 and 8800. The ICE feature is not enabled by default on HP Poly devices, and the company advises administrators to disable it if itβs not needed.
Exploit Development π»
An exploit module targeting this vulnerability has already been developed and released for the widely used Metasploit penetration testing framework thatβs maintained by Rapid7. The exploit executes code as root on an affected device with ICE enabled by sending a SIP INVITE request with a specially crafted candidate attribute.
The buffer overflow bug is located in a helper function called ParseICECandidate in the polyapp binary that processes such requests on the device. Stephen Fewer, senior principal security researcher at Rapid7, explained that the function contains a call to memcpy, which will copy the incoming string line being processed into a 256-byte stack buffer. No length check is performed to ensure the incoming string length is less than 256 bytes, leading to a stack-based buffer overflow.
Increasing Threats π
Attackers have increasingly targeted embedded devices inside enterprise networks in recent years because, unlike laptops, workstations, and servers, these devices are not monitored by endpoint detection and response (EDR) products. This provides perfect footholds inside corporate environments, allowing attackers to remain undetected for long periods and attack other systems.
In the age of AI, these devices become even more relevant for attackers, going beyond corporate espionage by recording conversations or internal network pivoting. Douglas McKee, Rapid7βs director of vulnerability intelligence, noted that voice data has become far more valuable than many organizations seem prepared to admit.
Attackers could collect audio and then use AI deepfakes to impersonate executives in calls to employees and business partners to authorize fraudulent transactions, gain access to sensitive systems, and more. McKee emphasized that voice infrastructure can now support both traditional espionage objectives and modern AI-enabled fraud operations at the same time.
For more details, check out the full article: Read full article