Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: unauth (2 articles)Clear

HP Poly VVX VoIP phones: unauthenticated root RCE CVE-2026-0826 via oversized ICE candidate in SIP INVITE, patches available

Rapid7 has disclosed CVE-2026-0826, a critical unauthenticated stack-based buffer overflow in HP Poly VoIP phones that gives a remote attacker root-level code execution. Discovered during zero-day research against a Poly VVX 450, the flaw sits in SDP parsing for ICE-enabled phones: the device copies a candidate attribute into a 256-byte stack buffer without a length check, so an oversized ICE candidate in a crafted SIP INVITE overflows the stack and can overwrite the program counter. NX is enabled but ASLR misbehaves, loading shared libraries at fixed addresses that make a ROP chain practical. An attacker needs no authentication. Patches are available for affected models.

Check
Inventory HP Poly VoIP phones (VVX and ICE-enabled models) by firmware. Confirm SIP/VoIP interfaces are not reachable from untrusted networks. Apply the CVE-2026-0826 patch for affected models.
Affected
HP Poly VoIP phones (VVX 450 confirmed) with ICE enabled. An unauthenticated SIP INVITE carrying an oversized ICE candidate triggers a root-level stack overflow; fixed-address libraries make ROP practical.
Fix
Apply Rapid7-referenced patches immediately. Place VoIP phones on a dedicated VLAN with strict ACLs. Block SIP from untrusted networks and monitor for malformed INVITE traffic.

Cisco patches CVSS 10.0 Secure Workload flaw (CVE-2026-20223): unauthenticated REST API access grants Site Admin across tenants

Cisco has patched a maximum-severity flaw, CVE-2026-20223, in the internal REST APIs of Cisco Secure Workload (formerly Tetration), the zero-trust microsegmentation platform used to stop lateral movement in enterprise environments. Insufficient authentication on the affected endpoints lets an unauthenticated remote attacker craft a request that returns sensitive data and modifies configuration with Site Admin privileges across tenant boundaries. Cisco's PSIRT says there is no evidence of in-the-wild exploitation yet and no workaround exists. The on-prem fixed releases are 3.10.8.3 and 4.0.3.17; the SaaS deployment has already been patched. Sites running 3.9 or earlier must migrate to a fixed release.

Check
Inventory Cisco Secure Workload (Tetration) on-prem deployments and their version. Check whether SaaS is in use (already auto-patched). Review API access logs for unauthenticated calls succeeding.
Affected
Cisco Secure Workload 3.10.x before 3.10.8.3, 4.0.x before 4.0.3.17, and any 3.9 or earlier release. SaaS deployment already fixed by Cisco. No workaround available.
Fix
Upgrade on-prem to 3.10.8.3 or 4.0.3.17. Sites on 3.9 or earlier must migrate to a fixed release. No workaround - patching is the only option.