The vulnerability is a stack-based buffer overflow in the parsing of Session Description Protocol (SDP) candidate attributes on HP Poly Voice VoIP phones with ICE enabled. The parsing function copies input into a fixed 256-byte stack buffer without length checks, allowing an attacker to overflow the buffer by sending a SIP INVITE request with an oversized candidate attribute. Exploitation leads to control over the program counter and registers, enabling remote code execution with root privileges via a Return Oriented Programming (ROP) chain that bypasses ASLR and NX protections. Confirmed affected models include HP VVX 150, 250, 350, 450, and Trio IP Conference 8300, 8500, and 8800 series. Patches have been released for all affected devices.

Successful exploitation allows remote attackers to execute arbitrary code with root privileges on vulnerable HP VoIP phones. This can result in attackers establishing persistent access within enterprise networks, potentially enabling lateral movement, interception of sensitive communications, and use of compromised devices for social engineering or fraud. The affected devices are often deployed in trusted locations without endpoint protection, increasing the risk and impact of compromise.

Patches are available for all affected HP Poly Voice VoIP phone models and should be applied promptly to fully remediate the vulnerability. Where possible, administrators should disable the ICE feature on devices that do not require it to mitigate the risk. No indication from the vendor or advisory suggests that no action is required; therefore, updating firmware is the recommended remediation.