CVE-2026-0754 PUBLISHED

SIP Service Providers – Possible Impersonation of Poly Voice Device

Assigner: hp
Reserved: 08.01.2026 Published: 03.03.2026 Updated: 03.03.2026

An embedded test key and certificate could be extracted from a Poly Voice device using specialized reverse engineering tools. This extracted certificate could be accepted by a SIP service provider if the service provider does not perform proper validation of the device certificate.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N
CVSS Score: 8.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	None	Integrity	High
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	HP Inc
Product	VVX
Versions	Default: unaffected affected from 0 to <UCS 6.4.8 (excl.)

Vendor	HP Inc
Product	Edge E
Versions	Default: unaffected affected from 0 to <PVOS 8.5.0 (excl.)

Vendor	HP Inc
Product	Trio 8300
Versions	Default: unaffected affected from 0 to <UCS 8.1.7.c (excl.)

References

https://support.hp.com/us-en/document/ish_14269649-14269682-16/hpsbpy04081

Problem Types

CWE-321 CWE